Threat activity and vulnerabilities in Indonesia, Malaysia, Philippines, and Thailand

By on 15 Jun 2023

Category: Tech matters

Tags: , , , , , ,

Blog home

Shadowserver has recently been funded by the UK Foreign, Commonwealth and Development Office (FCDO) to provide more detailed and tailored cyber threat insight support to economies in the Association of Southeast Asia Nations (ASEAN), specifically Indonesia, Malaysia, the Philippines, and Thailand.

These activities included obtaining a better understanding of the device makeup of the attack surface exposed in these economies, vulnerability exposure (especially related to emerging threats), and observed attacks/infected devices — both originating from and directed at the region.

The intention is to enrich Shadowserver’s free daily threat feeds and public benefit services to the region, providing National CSIRTs and other system defender entities (organizations that are network owners) with a better awareness of their threat and vulnerability landscape, thus helping them to improve their cybersecurity posture.

This work with the FCDO builds on our previous global outreach to Africa, the Indo-Pacific, and Central and Eastern Europe (CEEC) to shine a cybersecurity spotlight on the ASEAN region with a specific focus on Indonesia, Malaysia, the Philippines, and Thailand. For a review of previous FCDO-supported activities please read:

  1. UK Foreign, Commonwealth & Development Office funds Shadowserver surge in Africa and Indo-Pacific regions
  2. Continuing Our Africa and Indo-Pacific Regional Outreach
  3. More Free Cyber Threat Intelligence For National CSIRTs
  4. Shadowserver’s New Public Dashboard

Device fingerprinting

As part of these activities, Shadowserver engaged in adding detection fingerprints for devices observed in the region during our daily Internet scanning. This includes identifying the vendor, type, and model of publicly exposed devices so that Internet defenders in those economies will be better aware of their exposed assets when a potential new threat appears.

The following chart shows the top 20 device vendors identified in Indonesia, Malaysia, the Philippines and Thailand during the study. Figure 1 shows devices that are exposed on the public Internet and are possible to identify, but not necessarily vulnerable to an attack.

Figure 1 — The top 20 exposed device vendors found across Indonesia, Malaysia, the Philippines, and Thailand (average daily scan results from 1 February 2023 to 30 April 2023).
Figure 1 — The top 20 exposed device vendors found across Indonesia, Malaysia, the Philippines, and Thailand (average daily scan results from 1 February 2023 to 30 April 2023).

For comparison, across the ASEAN economies, the top 20 device vendor populations are shown in Figure 2.

Figure 2 — The top 20 exposed device vendors found across ASEAN economies (average daily scan results from 1 February 2023 to 30 April 2023).
Figure 2 — The top 20 exposed device vendors found across ASEAN economies (average daily scan results from 1 February 2023 to 30 April 2023).

You can explore the above charts interactively using Shadowserver’s public dashboard filtered for Indonesia, Malaysia, the Philippines and Thailand, or for all ASEAN economies.

Thailand

Thailand has an unusually high number of exposed ZTE devices. In addition to Huawei and Mikrotik devices that are commonly seen in the region, Thailand also has a relatively high number of TP-Link and Fortinet devices exposed:

Figure 3 — The top 20 exposed device vendors found across Thailand (average daily scan results from 1 February 2023 to 30 April 2023).
Figure 3 — The top 20 exposed device vendors found across Thailand (average daily scan results from 1 February 2023 to 30 April 2023).

Indonesia

In comparison, Indonesia features a very high concentration of MikroTik devices, the third highest in the world. Misconfigured or unpatched MikroTik devices are often one of the top targets, as shown in Figure 4.

Figure 4 — Publicly exposed MikroTik devices worldwide (by unique IP address) on 30 April 2023.
Figure 4 — Publicly exposed MikroTik devices worldwide (by unique IP address) on 30 April 2023.

It is also worth noting the uniquely high number of Hughes Network Systems devices (used for satellite broadband Internet) in Indonesia — the largest in the world (though interestingly, we did not observe any malware infections related to those IP addresses).

Figure 5 — The top 20 exposed device vendors found across Indonesia (average daily scan results from 1 February 2023 to 30 April 2023).
Figure 5 — The top 20 exposed device vendors found across Indonesia (average daily scan results from 1 February 2023 to 30 April 2023).

Malaysia

Malaysia’s device exposure is dominated by Huawei devices, as well as QLC Chain devices (Figure 6). QLC Chain devices are identified as a ‘next generation public chain for Network-as-a-Service (NaaS)’, which now appears to be unmaintained.

QLC Chain device detections are mostly the result of CoAP exposure. Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained networks such as in the Internet of Things (IoT):

Figure 6 — The top 20 exposed device vendors found across Malaysia (average daily scan results from 1 February 2023 to 30 April 2023).
Figure 6 — The top 20 exposed device vendors found across Malaysia (average daily scan results from 1 February 2023 to 30 April 2023).

Exposed QLC Chain devices dominate in the Philippines as well (Figure 7).

Figure 7 — The top 20 exposed device vendors found across the Philippines (average daily scan results from 1 February 2023 to 30 April 2023).
Figure 7 — The top 20 exposed device vendors found across the Philippines (average daily scan results from 1 February 2023 to 30 April 2023).

To help system defenders identify devices that are unnecessarily exposed on the public Internet, find free, actionable, detailed and IP-specific data on exposed devices in your network/constituency in Shadowserver’s daily Device Identification report.

Critical vulnerabilities (in exposed infrastructure)

As part of its core activities, Shadowserver also scans and alerts system owners and National CSIRTs about critical vulnerabilities in their Internet infrastructure, especially those that enable unauthenticated remote code execution on high-value resources. These vulnerabilities often result in breaches, which may lead to ransomware deployment.

It is worth noting that a relatively high number of likely vulnerable devices remain publicly exposed in the region. These include Fortinet devices vulnerable to CVE-2022-42475, a FortiOS SSL-VPN heap-based buffer overflow vulnerability, with nearly 900 Fortinet installations across the region (almost half of those in Thailand), as shown in Figure 8.

Figure 8 — Fortinet CVE-2022-42475 in Indonesia, Malaysia, Philippines, and Thailand (1 January - 30 April 2023). The Y-axis shows the unique IP address count.
Figure 8 — Fortinet CVE-2022-42475 in Indonesia, Malaysia, the Philippines, and Thailand (1 January – 30 April 2023). The Y-axis shows the unique IP address count.

Figure 9 shows that multiple VMware-related vulnerabilities in VMware vSphere and ESXi hypervizors —  CVE-2021-21972CVE-2021-21974 (CVSS 8.8), CVE-2020-3992 (CVSS 9.8), CVE-2019-5544 (CVSS 9.8) remain, with over 1,800 likely vulnerable installations (>50% of those are in Thailand).

Figure 9 — VMware CVE-2021-21972, CVE-2021-21974, CVE-2020-3992, CVE-2019-5544 in Indonesia, Malaysia, Philippines and Thailand (1 January - 30 April 2023); Y-axis shows unique IP address count.
Figure 9 — VMware CVE-2021-21972, CVE-2021-21974, CVE-2020-3992, CVE-2019-5544 in Indonesia, Malaysia, the Philippines and Thailand (1 January – 30 April 2023); Y-axis shows unique IP address count.

As can be interpreted by the lack of a decay curve in Figure 9, remediation of these vulnerabilities appears to have stalled. Note, these vulnerabilities were speculated to have been behind the recent ESXiArgs ransomware campaign (see the CERT-FR advisory for more information), so these devices may represent a continuing risk.

Another potentially serious vulnerability is related to exposed Zimbra collaboration servers. CVE-2022-37042 is an often exploited unauthenticated remote code execution vulnerability. Over 1,384 vulnerable installations remain exposed in the region as of 30 April 2023, most of those (nearly 1,000) in Indonesia (Figure 10).

Figure 10 — Zimbra CVE-2022-37042 (CVE-2022-27925) in Indonesia, Malaysia, the Philippines, and Thailand (1 January - 30 April 2023); Y-axis shows the unique IP address count.
Figure 10 — Zimbra CVE-2022-37042 (CVE-2022-27925) in Indonesia, Malaysia, the Philippines, and Thailand (1 January – 30 April 2023); Y-axis shows the unique IP address count.

Another target that is often attacked is Microsoft Exchange. Shadowserver scans the entire Internet daily for multiple Microsoft Exchange vulnerabilities, including:

Shadowserver still observes nearly 650 installations exposed throughout the region that are likely vulnerable to one or more of the above vulnerabilities. As Figure 11 shows, most are in Thailand and Indonesia.

Figure 11 — Microsoft Exchange servers in Indonesia, Malaysia, the Philippines and Thailand (1 January - 30 April 2023); Y-axis shows the unique IP address count.
Figure 11 — Microsoft Exchange servers in Indonesia, Malaysia, the Philippines and Thailand (1 January – 30 April 2023); Y-axis shows the unique IP address count.

It is also worth noting that many Microsoft Exchange servers remain infected with cryptominers, such as DLTminer (around 1000), particularly in Malaysia and Indonesia. You can read more on the background story of DLTMiner and Microsoft Exchange infections in this ESET report.

Figure 12 — Microsoft Exchange servers infected with DLTminer in Indonesia, Malaysia, the Philippines and Thailand (1 February - 30 April 2023); Y-axis shows unique IP count.
Figure 12 — Microsoft Exchange servers infected with DLTminer in Indonesia, Malaysia, the Philippines and Thailand (1 February – 30 April 2023); Y-axis shows unique IP count.

There is actionable, detailed and IP-specific information about vulnerable HTTP services (including the Fortinet, VMware and Zimbra vulnerabilities highlighted above) and vulnerable Microsoft Exchange servers in your network/constituency in our free daily Vulnerable HTTP and Vulnerable Exchange reports.

Aside from HTTP-related vulnerabilities, it is also important to keep track of critical vulnerabilities related to other network protocols. Shadowserver also scans for many of those. A recent example is an SNMP-related CVE-2017-6736 vulnerability in Cisco routers which, while old, is known to have been recently abused by threat actor APT28 – as reported by NCSC UK and Shadowserver. On 16 May 2023, Shadowserver observed 652 routers in the ASEAN region as still potentially vulnerable. Remediation advice can be found at Cisco.

Figure 13 — Cisco routers by unique IP address vulnerable to CVE-2017-6736 in ASEAN (on 16 May 2023).
Figure 13 — Cisco routers by unique IP address vulnerable to CVE-2017-6736 in ASEAN (on 16 May 2023).

Infected (attacking) devices

Shadowserver also attempts to identify devices detected attacking its honeypot sensors (and attempting to use the sensor to perform Distributed Denial of Service (DDoS) attacks). You can track these attacks on Shadowserver’s Dashboard (updated daily), and filter by economy as well.

For Thailand, we typically see attacking infected devices to be MikroTik and also devices running the Boa webserver (these may actually be multiple vendors). Development of the Boa webserver was discontinued in 2005(!), but the unsupported software continues to be used by multiple manufacturers. For more background on Boa-related attacks, see the Microsoft article ‘Vulnerable SDK components lead to supply chain risks in IoT and OT environments‘.

For Indonesia, MikroTik infections are unsurprisingly prevalent due to the high concentration of those devices in the economy. We also see a significant number of Fortinet infections.

In addition, we see Ubiquiti Unifi controllers and Zimbra servers used for DDoS attacks (note the vulnerable population of Zimbra servers in Indonesia compared to other economies discussed earlier).

In Malaysia, MikroTik is the most commonly observed infected device, followed by embedded Boa devices and FiberHome devices.

The Philippines is the only economy that breaks the daily MikroTik majority pattern, with FiberHome and Huawei Home Gateway devices typically occupying the top classifications of infected devices. However, for DDoS attacks originating in this region, we predominantly observe MikroTik devices attacking from the Philippines.

Finally, it is worth noting that Hikvision and HiSilicon-based DVRs are the most commonly infected video system devices in the region.

Exploited CVEs

Shadowserver also tracks Common Vulnerability Exposure (CVE) exploit attempts throughout the region and across the world, primarily focusing on exposed HTTP resources. CVE signatures supported by our sensors were also enhanced as part of the recent FCDO-funded project, with a focus on CVEs being used in attacks against resources in the region.

In the period between 1 February and 30 April 2023, the most common CVE exploitation attempt (by unique source IP address) observed originating from each economy was CVE-2017-17215 (targeting Huawei HomeGateway devices). This is an old CVE used in many Mirai-based botnets. However, in general, software vulnerability exploitation attacks observed coming from the region are surprisingly few.

Of more interest are the exploits used to attack our sensors in particular economies. The most common attack (by connection) against Thailand-based sensors is one dedicated to SugarCRM (CVE-2023-22952), which we first reported on 16 January 2023. For Malaysia and Indonesia, the most common attack was the Unisharp Laravel File Manager (CVE-2022-40734). For the Philippines, it was the TP-Link CVE-2017-16959.

Summary

We see a significant attack surface exposed in Indonesia, Malaysia, the Philippines and Thailand, especially related to home router brands and video systems. This is an area where focused remediation and awareness campaigns may help in reducing that exposure. Many of these devices are infected and in use in DDoS botnets.

Additionally, critical vulnerabilities in Microsoft Exchange, Fortinet, VMware, and Zimbra installations remain, making them easily discoverable points of entry for ransomware operators and APT groups. It is also potentially problematic that one of the highest exposures appears related to a now-defunct QLC Chain project, which is unlikely to receive security updates.

We hope that these observations demonstrate that it is possible to obtain a view into the exposed Internet infrastructure of an economy, not just on exposed services but on the actual (vulnerable) device makeup. This device makeup can have an impact on Internet defenders (and, of course, attackers).

Some of the devices may not need to be accessible to external queries from the public Internet. Exposing them unnecessarily in this way may pose additional security risks, which we have also illustrated specifically for the selected economies. Obtaining situational awareness about the vendor makeup of externally accessible devices on a network of responsibility may allow for more efficient incident response and patch rollout processes, should any new vulnerabilities be announced in these devices.

Additionally, national CSIRTs that wish to be more proactive should focus on mitigating the exposed attack surface created — especially by the known vulnerable devices, which are continuously compromised by multiple threat actors and used for staging other types of potentially more serious attacks.

All the data discussed in the article is shared daily for free with national CSIRTs in Indonesia, Malaysia, the Philippines, Thailand, and other ASEAN economies, as well as with specific network owners/operators who have subscribed directly to Shadowserver’s public benefit services.

If you have not yet already done so, please sign up for Shadowserver’s free daily threat feeds that will provide you with specific, actionable IP information about threats or vulnerabilities seen on your network(s). These will be filtered for your networks/domains or constituency (or economy, for national CSIRTs).

Please also consider joining the Shadowserver Alliance, which will provide you with additional insights, details into threats that we see and other benefits (as well as help to ensure financial sustainability for all of Shadowserver’s free public benefit services).

For any questions, please contact us.

Piotr Kijewski helps make things happen at the Shadowserver Foundation, coordinating large-scale data collection and analysis projects, and managing Shadowserver’s CSIRT relationships.

Jonathan Flaherty co-authored this post.

Adapted from the original post at Shadowserver.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Top