Cyber Security Threats in Hong Kong SAR
Cyber Security Threats in Hong Kong SAR

Updated as of 26 September 2023 1200hrs

The Situation 

In response to high profile cyber attacks, Hong Kong authorities are mulling over introducing a law on cybersecurity and strengthening communications with overseas agencies, to step up legal regulatory measures to combat cybercrime.

Hong Kong has seen another cyber attack reported by its consumer watchdog, Consumer Council, on 22 Sep, two weeks after a leading digital business technology park, Cyberport, revealed on 7 Sep that it suffered a ransomware attack.

Hong Kong’s consumer watchdog Consumer Council revealed an investigation into a personal data leak in a press conference on 22 Sep.

For both attacks, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) had received data breach notifications from both Cyberport and Consumer Council, and commenced compliance checks into the incidents. Both organisations have been advised to notify the affected data subjects as soon as possible.

At the time of writing, the Consumer Council has sent out 25,000 data breach notifications to business contacts, staff and subscribers.

 

Cyberport Ransomware Attack 

The ransomware group Trigona posted the data leak of Cyberport on the dark web.  Leaked data included scans of Hong Kong identity card, financial statements, résumés belonging to Cyberport staff and tenants. Commercially sensitive information including lease agreements, receipts, audit reports, and correspondences with governments and vendors was also leaked.

 

Threat Profile of Trigona  

Trigona is a relatively new strain of ransomware that has hit organisations increasingly in non-Western countries including Brazil, China and Argentina.  The threat actor(s) deploying the ransomware employs a double extortion schedule. Reports indicated that the threat actor(s) achieved initial access via a combination of brute force attacks, purchasing previously compromised accounts by obtaining access from network access brokers (“IABs”), and exploitation of vulnerable public-facing applications.

Trigona’s operators have remained highly active and were in the top 20 out of the 43 ransomware groups which named victims on their respective data-leak sites.  During the period of Q2 2023 (Apr – Jun), Trigona claimed 18 named victims on their site.

 

 

Cyber Security Threats in Hong Kong SAR

Number of victims named on top 20 ransomware data-leak sites
(Ref: ReliaQuest Quarterly Cyber-Threat Report : Ransomware & Data-Leak Extortion) 

 

Recent reported activities
•    By April 2023, Trigona began targeting compromised MSSQL servers by stealing credentials via brute force methods. 
•    In May 2023, researchers found a Linux version of Trigona that shared similarities with its Windows counterpart.
•    In June 2023, Trend Micro encountered a new version of Trigona ransomware, this time designed for Windows 64-bit platforms. This version implements additional command-line arguments that were not present with the Linux version and the original 32-bit version.
•    Trigona was found to be exploiting the ManageEngine vulnerability CVE-2021-40539 for initial access based on a report from Arete. In addition, the threat actors used previously compromised accounts by obtaining access from network access brokers. It uses a variety of tools for lateral movement, including Netscan and Splashtop (a legitimate remote access tool), which is used to drop further additional tools on a compromised machine.
•    Trigona encrypts files in infected machines using AES encryption, and adds a “._locked” file extension to those encrypted files. Furthermore, the ransomware contains an encrypted configuration in its resource section which is decrypted upon execution.

 

Our Recommendations
To safeguard systems against ransomware attacks, it is important to implement data protection protocols and establish backup and recovery procedures to ensure that data remains secure and can be restored in case of encryption or deletion.
•    Backup your data.  Perform frequent backups of your system and data.  The 3-2-1 backup strategy – encompassing redundancy, geographic distance and access where there are at least three copies of your data backed up, two local (on-site) but on different media / devices, and at least one copy off-site.
•    Cybersecurity awareness training.  To strengthen workforce awareness, regular, mandatory cybersecurity awareness training sessions will keep the workforce updated and informed about current cybersecurity threats. 
•    Keep systems and software updated.  Ensure your applications and operating systems have been updated with the latest patches.  Vulnerable applications and software are ready targets of most ransomware attacks.
•    Restrict code execution.  Where feasible, enforce access control for temporary or data folders to prevent code execution in order to limit spread of ransomware data encryption. 
•    Review permission-related practices.  Removing local administrative rights can deter ransomware from running on a local system and prevent any changes to the local system resources that the ransomware may be targeting for encryption.
•    Network controls such as firewalls should limit or block remote desktop protocol (RDP) and other remote management services which are known to be used to deploy ransomware.


In the event of a ransomware attack, consider the following immediate measures:
•    Isolate / Shutdown your system.  To prevent the spread of the ransomware, isolate or shut down the system believed to be infected.
•    Block network access to any identified command-and-control (C2) servers used by the ransomware operators.  Ransomware is often blocked from encrypting data without access to their C2 servers.
•    Notify authorities.  Consider informing authorities as appropriate.
•    Seek help. Consider engaging a competent incident response team to help with the containment and investigation.


How Ensign can help
Ensign will continue to monitor the developing landscape in Hong Kong and keep you informed of any additional recommendations. 


Ensign’s Digital Forensics and Incident Response service stands ready to aid in a possible incident or security breach.  If you suspect an incident or are experiencing a breach, please contact us at marketing@ensigninfosecurity.com.


Engage experts from the Advisory and Cyber Strategy teams who can assess the cyber risk of your organization’s attack surface, and security architecture to identify measures to enhance cybersecurity resilience.


Indicators of Compromise

 

IoC Type Notes (if any)
f1e2a7f5fd6ee0c21928b1cae6e6672
4c4537052f8676feeaa18e84cf3c0c663
SHA-256 (File-based IOC)  Linux.TRIGONA 
951fad30e91adae94ded90c60b80d2965
4918f90e76b05491b014b8810269f74
SHA-256 (File-based IOC)  Linux.TRIGONA 
d0268d29e6d26d726adb848eff991754
486880ebfd7afffb3bb2a9e91a1dbb7c
SHA-256 (File-based IOC)  Win64.TRIGONA 
a891d24823796a4ffa2fac76d92fec2c7
ffae1ac1c3665be0d4f85e13acd33f9
SHA-256 (File-based IOC)  Win64.TRIGONA 
2b40a804a6fc99f6643f8320d2668ebd
2544f34833701300e34960b048485357
SHA-256 (File-based IOC)  Win64.TRIGONA 
8cbe32f31befe7c4169f25614afd1778006e4
bda6c6091531bc7b4ff4bf62376
SHA-256 (File-based IOC)  Win32.TRIGONA 
fb128dbd4e945574a2795c2089340467fc
f61bb3232cc0886df98d86ff328d1b
SHA-256 (File-based IOC)  Win32.TRIGONA 
41c9080f9c90e00a431b2fb04b461584
abe68576996379a97469a71be42fc6ff
SHA-256 (File-based IOC)  Win64.TRIGONA 
c7a930f1ca5670978aa6d323d16c03a97d
897c77f5cff68185c8393830a6083f
SHA-256 (File-based IOC)  MSIL.TRIGONA 
bef87e4d9fcaed0d8b53bce84ff5c5a7
0a8a30542100ca6d7822cbc8b76fef13
SHA-256 (File-based IOC)  svhost.exe (Ransomware Binary) 
853909af98031c125a351dad80431
7c323599233e9b14b79ae03f9de572b014e
SHA-256 (File-based IOC)  Splashtop
24123421dd5b78b79abca07bf2dac68
3e574bf9463046a1d6f84d1177c55f5e5
SHA-256 (File-based IOC)  Netscan 
4724EE7274C31C8D418904EE7E600D9
2680A54FECDAC28606B1D73A28ECB0B1E
SHA-256 (File-based IOC)  Netscan
e22008893c91cf5bfe9f0f41e5c9cdafa
e178c0558728e9dfabfc11c34769936
SHA-256 (File-based IOC)  Netscan
8d069455c913b1b2047026ef290a6
64cef2a2e14cbf1c40dce6248bd31ab0067
SHA-256 (File-based IOC)  Netscan
544a4621cba59f3cc2aeb3fe34c2ee4
522593377232cd9f78addfe537e988ddc
SHA-256 (File-based IOC)  start.bat 
a15c7b264121a7c202c74184365ca13b56
1fb303fb8699299039a59ab376adc6
SHA-256 (File-based IOC)  turnoff.bat 
b7fba3abee8fd3bdac2d05c47ab75fd
aa0796722451bed974fb72e442ab4fefd
SHA-256 (File-based IOC)  newuser.bat
e5cf252041045b037b9a358f5412ae004
423ad23eac17f3b03ebef7c8147a3bb
SHA-256 (File-based IOC)  Mimikatz
5603d4035201a9e6d0e130c561bd
b91f44d8f21192c8e2842def4649333757ab
SHA-256 (File-based IOC)  Mimikatz
69f245dc5e505d2876e2f2eec87fa
565c707e7c391845fa8989c14acabc2d3f6
SHA-256 (File-based IOC)  Mimikatz
248e7d2463bbfee6e3141b7e55fa87d73
eba50a7daa25bed40a03ee82e93d7db
SHA-256 (File-based IOC)   
596cf4cc2bbe87d5f19cca11561a93785
b6f0e8fa51989bf7db7619582f25864
SHA-256 (File-based IOC)   
704f1655ce9127d7aab6d82660b48a12
7b5f00cadd7282acb03c440f21dae5e2
SHA-256 (File-based IOC)   
859e62c87826a759dbff2594927ead2
b5fd23031b37b53233062f68549222311
SHA-256 (File-based IOC)   
8f8d01131ef7a66fd220dc91388e3c219
88d975d54b6e69befd06ad7de9f6079
SHA-256 (File-based IOC)   
97c79199c2f3f2edf2fdc8c59c8770e1c
b8726e7e441da2c4162470a710b35f5
SHA-256 (File-based IOC)   
a86ed15ca8d1da51ca14e55d12b4965
fb352b80e75d064df9413954f4e1be0a7
SHA-256 (File-based IOC)   
accd5bcf57e8f9ef803079396f52595
5d2cfffbf5fe8279f744ee17a7c7b9aac
SHA-256 (File-based IOC)   
da32b322268455757a4ef22bdeb0
09c58eaca9717113f1597675c50e6a36960a
SHA-256 (File-based IOC)   
e7c9ec3048d3ea5b16dce31ec01fd
0f1a965f5ae1cbc1276d35e224831d307fc
SHA-256 (File-based IOC)   
e97de28072dd10cde0e778604762a
a26ebcb4cef505000d95b4fb95872ad741b
SHA-256 (File-based IOC)   
f29b948905449f330d2e5070d767d0d
ac4837d0b566eee28282dc78749083684
SHA-256 (File-based IOC)   
fa6f869798d289ee7b70d00a649145b
01a93f425257c05394663ff48c7877b0d
SHA-256 (File-based IOC)   
fbba6f4fd457dec3e85be2a628e31378
dc8d395ae8a927b2dde40880701879f2
SHA-256 (File-based IOC)  DC2.exe 
94979b61bba5685d038b4d66dd5e4e
0ced1bba4c41ac253104a210dd517581b8
SHA-256 (File-based IOC)  DC4.exe 
9c8a4159166062333f2f74dd9d3489708
c35b824986b73697d5c34869b2f7853
SHA-256 (File-based IOC)  DC6.exe 
phandaledr@onionmail[.]org  Email Address  Ransom note contact email 
farusbig@tutanota[.]com  Email Address  Ransom note contact email 
how_to_decrypt.hta File Name  Ransom note name 
3x55o3u2b7cjs54eifja5m3ottxnt
lubhjzt6k6htp5nrocjmsxxh7ad[.]onion
 
Trigona TOR data-leak site / negotiation portal  Trigona TOR negotiation portal 
45.227.253[.]99 IP Address  IP address associated with Trigona activity 
45.227.253[.]106 IP Address  IP address currently hosting Trigona leak site 
45.227.253[.]98 IP Address  IP address associated with Trigona activity 
45.227.253[.]107  IP Address  IP address associated with Trigona activity 

 

References

Hong Kong tech hub Cyberport alerts police, privacy watchdog after reports of ransomware attack exposing 400GB of data (msn.com)

Head of Hong Kong consumer watchdog apologises for potential data leak affecting over 8,000 people, with US$500,000 ransom made by hackers (msn.com)

Consumer Council (Hong Kong) : 消委會黑客入侵|員工客戶資料7小時予取予攜 消委會:不交贖金 (hk01.com)

https://www.itsc.cuhk.edu.hk/user-trainings/information-security-best-practices/ransomware-trigona/

Office of the Privacy Commissioner for Personal Data (PCPD) – Media Statement for Data Breach Incident of Consumer Council https://www.pcpd.org.hk/english/news_events/media_statements/press_20230921.html)

 

Office of the Privacy Commissioner for Personal Data (PCPD) – Media Statement for Response on the Cyberport’s Data Breach Incident (https://www.pcpd.org.hk/english/news_events/media_statements/press_20230913b.html)

 

IOC

https://www.trendmicro.com/en_za/research/23/f/an-overview-of-the-trigona-ransomware.html

https://unit42.paloaltonetworks.com/trigona-ransomware-update/

https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware

    Contact Us
Copyright © 2025 Ensign InfoSecurity Pte. Ltd.