2015 network security highlights

Posted by tzul at 2020-02-27

2015 network security highlights

Monday, December 7, 2015

At the end of last year, security bull released its first annual security event review article, 2014 network security event. This paper reviews the major events with great influence in the safety industry in the past year, and makes a brief judgment on the future trend. After the issue of memorabilia, it has attracted the attention of many people in the industry and even the management department, indicating the reference value of memorabilia to the industry and society. Therefore, the security bull decided to keep this form of reviewing the annual network security events. Now, another year is about to pass. Let's take a look at 2015 cybersecurity highlights.

Safety activities are in full swing

2015 can be called the outbreak year of domestic security activities. Relevant personnel and enterprises not only actively participate in influential foreign security conferences, but also hold the most concentrated year of domestic conferences, salons, forums, conferences, exhibitions, competitions and other activities.

Among them, cracking, attack and defense and other competitions are particularly popular. The cracking competitions are mainly pwn2own in the world, geekpwn and hackpwn in China. Whether it's the safest operating system, browser, the most popular software application, or intelligent devices such as cars, drones, electric ovens, POS machines, mobile phones, etc., they can't retreat in front of the crack master. Competitions like domestic attack and defense are also breaking out. For example, the 180 person competition on Beijing 429 capital cyber security day, the 2015 China cyber security competition in Wuhan and the annual cyber security competition (xdctf) have been held all over the country.

List of important activities of safety industry in 2015

On the one hand, the explosion of security activities reflects the rise of security tide in the whole society, on the other hand, it also reveals a certain degree of impetuosity. Security is not just loopholes and solutions, not just hackers and attack and defense experts, but more importantly, defenders and builders engaged in security work, security practitioners who understand the operation of enterprises and their businesses, who are the cornerstone of the whole security industry.

2、 Financing M & A continues


In 2015, the security industry set off a wave of investment and M & A, with at least 20 financing M & A of more than 100 million US dollars. The biggest three were Bain capita's US $2.4 billion acquisition of blue coat, Cisco's US $635 million acquisition of OpenDNS and SingTel's US $770 million acquisition of trustwave, a management security service provider.

Foreign security industry acquisition and financing trends in 2015

Note: this table only includes billion level USD financing

From the above information, we can see that cloud security and security services are a major trend of financing and M & A, and we can see the rise of Israeli start-ups in the security industry.


Baidu, Tencent, Ali and 360 have made frequent moves in investment and merger this year, and the influential and public ones are: Tencent's second investment in Chuangyu, with an investment amount of about 600 million yuan; Baidu's wholly-owned acquisition of safety treasure, with an unknown amount of at least 100 million yuan; Ali's acquisition of hanhaiyuan, with a reported acquisition amount of about 200 million yuan; 360 officially announced its establishment in May this year. 3 60 enterprise security group, meanwhile, has invested in many security enterprises in the industry, such as skyguard, winut, etc., with a total investment of more than 3 billion yuan in the past three years.

In addition to the layout of Internet giants, some security emerging and start-up enterprises, such as Ming Dynasty Wanda, security dog, dark cloud, Witkey security, loophole box, micro online, sky guard, clover, etc., also have tens of millions (yuan) of financing.

In terms of strategic cooperation, Tencent and Qiming Xingchen, Alibaba cloud and Anheng, PricewaterhouseCoopers and Gu'an Tianxia have reached strategic cooperation in terms of terminal security services, cloud security and security advisory services respectively. After reaching middleware technical cooperation with IBM, Huasheng Tiancheng launched a domestic server based on IBM power technology.

In terms of listing, both Tianrongxin and Shangxun information are listed on the "new third board", and traditional security enterprises such as Shanghai Geer, Jida Zhengyuan and are also actively planning to go public.

There are also three large-scale merger and acquisition events in China this year, i.e. Cisco and Inspur jointly invested US $100 million to establish a joint venture, Asiatic technology acquired all Chinese businesses of trend technology, established an independent security company Asiatic security, and Ziguang acquired 51% of Huasan's shares with us $3 billion. In addition, Qihoo 360 will complete the privatization with a total price of $9 billion, and plans to go public in China. These events show the impact of localization policy on enterprises. Foreign enterprises want to retain their share in the Chinese market in the form of joint venture or M & A, while domestic security enterprises think that they cannot get the due value in the foreign market. It is expected that next year, more and more foreign related enterprises will integrate into the domestic market.

3、 Loophole impact goes underground

In another article "seven trends of network security in 2015" released by the security bull at the end of last year, the vulnerability in 2015 was predicted: "those software and system based on communication protocol and traditional operating system, which are mature earlier and widely used at present, have greater capability, such as Java, Android. As for smart home or wearable devices, although manufacturers lack of security considerations, due to the lack of large-scale application, although many vulnerabilities can be foreseen to be found, but the huge impact of the vulnerability can not be formed. "

Now let's take a look at the major loopholes this year. The loopholes here do not include those that have not yet been widely exposed and have not actually had a significant impact.

Stagefright / Java deserialization / wormhole / redis unauthorized access / SS7 / Ping socket use after free / dexclassloader / venom / SMB redirection / Frank / Ghost

In this series of vulnerabilities, there are system level vulnerabilities such as stagefright and protocol level vulnerabilities such as break and SS7. There are applications such as wormhole and "elder" vulnerabilities such as SMB redirection. Either way, there was no level of impact or loss, like last year's bleeding hole in the heart. The reason is not only the strengthening of security work in all aspects of the whole industry, but also the improvement of emergency response ability and loophole submission mechanism. But it can not be ignored that the underground black market is harmful to the interests of the global Internet users, even the national and social security.

4、 Information leakage is still surging

In 2015, the largest number of information leaks were 27 million government employees and applicants of the United States personnel management agency (OPM), 80 million customers and employees of anthem, the second largest medical insurance company in the United States, 37 million users of Ashley Madison, an extramarital website, and hacking team, an Italian Spyware company Being hacked, 400g data including multiple zero day vulnerabilities, intrusion tools and a large number of working emails and customer lists are transferred to the Internet for arbitrary download.

The four information leakage incidents have different influence. OPM has risen to the political influence of the internet war between countries. Anthem is mainly related to the customer's personal insurance number and medical record. Ashley Madison is mainly concerned with privacy and moral issues. Two people have committed suicide because of this incident. The impact of hacking team mainly lies in the engineering loopholes and open back door code, which means that the network weapons are handed over to the illegal personnel, and the average technical level of the whole underground black production is easily improved.

The following is an information disclosure event with great global impact in 2015. The time is the month of event disclosure, not the time of event occurrence:

It is worth noting that compared with 2014, the exposure of domestic information leakage events has a rising trend.

5、 Apt attacks emerge in endlessly


The apt28 hacker organization, which has been active since 2007, constantly uses the zero day loophole to attack NATO and US defense agencies. This is a highly skilled cyber espionage activity group to collect national defense and geopolitical intelligence. The technical personnel analyze that the group is supported by the Russian government.


Apt17 has attacked U.S. defense contractors, law firms, government agencies, as well as technology companies and mining companies. This hacker group mainly uses spear fishing to carry out the initial attack, and uses TechNet, the technical documentation website of Microsoft products, as the attack platform.


Kaspersky, an anti-virus manufacturer, has also been attacked by apt this year. The attack program it uses is called Duqu 2.0, which exploits three zero day vulnerabilities of Microsoft. Duqu is one of the most concerned malicious programs after ZHENWANG worm. Most of Duqu appears in the industrial control system.


In the past five years, the naikon hacking organization has conducted a large number of geopolitical activities with high profile. They have deployed advanced data mining tools and surveillance tools in many countries, mainly targeting high-level government agencies, civil and military organizations in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Singapore, Myanmar, Nepal and other countries.

Sand worm

A group of hackers named the sand bug team used the zero day vulnerability "sand bug" in the windows operating system to make ppt files for attack. There are five main types of targets: governments, colleges, NATO, energy agencies and telecom operators. The targets of the attacks are all over Europe and even the United States.


Tula is a highly complex cyber espionage organization, possibly backed by the Russian government. For more than a decade, cyber espionage targeting government agencies, embassies and the military has been carried out. More than 40 countries around the world, including Kazakhstan, China, Vietnam and the United States, especially eastern and central European countries, are the targets of their activities. At the very high end, Tula hijacks the IP addresses of legitimate users' communication satellites and then uses them to steal data to hide their command control servers.

Equation group

According to the research report released by Kaspersky Lab, the firmware of more than ten brands of hard disk made by Seagate, Toshiba, western data and other well-known hard disk manufacturers has been implanted with spyware by a hacker organization called "equation group" (suspected to be supported by the National Security Administration). The group's activities date back to 2001 and may even start in 1996, when it infected thousands of computer systems in more than 30 countries and regions with a variety of spyware. The main target countries include Iran, Russia, Afghanistan, China, etc., involving government, military, financial, energy, media and other institutions.

Sea lily

The report released by 360 "Tianyan laboratory" first disclosed the details of a national hacker attack against China. The overseas hacker organization is named "oceanlotus". Since April 2012, "hailiao" has used Trojans to capture and control the computers of government personnel, outsourcers, industry experts and other target groups, and even manipulate computers to automatically send relevant information, aiming at China's maritime institutions, maritime construction departments, scientific research institutes and shipping enterprises Apt actions supported by foreign governments.

In recent years, the trend of apt attacks has become more and more intense, which reflects the game between countries on the level of cyberspace.

6、 Attention to safety accidents

The most influential security accident in China is the xghost incident.

On September 17 this year, it was revealed that Apple's development environment Xcode, which was downloaded unofficially, contained malicious code, which would automatically inject information stealing and remote control functions into compiled app applications. It is confirmed that wechat, Netease cloud music, Gaode map, Didi travel, railway 12306 and even some bank mobile applications are affected. More than 3000 apps on the app store are infected.

In China, there are two other major safety accidents. One is that in May this year, Ctrip was shut down for more than ten hours due to the wrong operation of its employees. A large number of users were unable to access the website, resulting in a direct loss of tens of millions of yuan. Second, on September 1, the upgrade of the security product yundun "security Knight" pre installed on Alibaba cloud server triggered a bug. All newly started executable files were isolated as malicious files, and some users' online services were seriously affected, and operation and maintenance work could not be carried out.

Security accidents are often caused by lax safety management or process problems. With the popularization and deepening of the Internet, the stable operation of a huge system becomes more and more important, and the operation and maintenance work is also an important part of the whole security work.

7、 Policies and regulations are ready


In the article "seven trends of network security in 2015", it was "bold to foresee that in 2015, it is possible to see the introduction of the draft legislation". At the end of June 2015, the 15th session of the Standing Committee of the 12th National People's Congress deliberated on the "network security law (Draft)", and solicited public opinions in early July. The important contents of the draft mainly include: determining the basic principles of network security work, integrating personal information protection into the right track and the security of network products and services, and stipulating that the government can take temporary measures to limit the network in case of major emergencies. It can be predicted that when the draft becomes a formal regulation, other relevant safety regulations and rules will be issued one after another.

Some other events related to security policy with great influence:


8、 The construction of national cyberspace security system is imminent

In June this year, the U.S. personnel management office was infiltrated by hackers and 27 million people leaked information. U.S. National Intelligence Director clapper even publicly said that China was identified as the primary suspect of the invasion. U.S. media even reported that the Obama administration is studying a series of "unprecedented" economic sanctions against China, which are mainly targeted at "Chinese enterprises and individuals who benefit from the theft of U.S. trade secret information through the Internet". But at the first cybersecurity dialogue between the two countries in December, the two sides confirmed that the OPM incident was defined as a non state backed attack.

In September this year, President Xi Jinping visited the United States and reached six points of consensus in the areas related to Internet issues. It includes network security review, general measures to strengthen the network security of information and communication technology in the business field, information and assistance provided by malicious network activities, opposition to Internet theft of intellectual property rights, formulation and promotion of national code of conduct for cyberspace in the international community, and establishment of a high-level joint dialogue mechanism between the two countries to combat cybercrime and related matters.

Just that month, two draft contracts and orders from the U.S. cyber command showed that the U.S. cyber command would outsource $460 million in expanded cyber attack capabilities to defense contractors. The United States has always regarded China as its biggest adversary of cyber security. Its defense department issued a new strategy against cyber attacks launched abroad in July. China is one of its strategic targets. The United States has now set up tens of thousands of cyber forces and developed thousands of cyber warfare weapons. The whole network combat system has been completed, and the network war can be launched at any time.

At present, the problem of network security in China is still prominent. For example, the lack of security awareness and the weak ability of network confrontation, including the weak foundation of network security such as laws, funds and talents, and the poor ability of security protection of key information infrastructure. Although we have reached a certain degree of consensus with the United States, the contest of network security capability behind us is still going on, and the situation is very severe. It is urgent to build a comprehensive prevention and control system of network security integrated with "prevention and control"!

Through the whole "2015 network security memorabilia", it can be summarized in four sentences:

Giant layout enterprise security, emerging start-ups are eager to try.

Loopholes black market torrent, spring tide coming state driven.

2015 events will be recorded here. See you next year!

Wang Xiao Rui

The author of financial and it articles, the translator of the famous social engineering work "the art of deception", the long-time writer of financial circle magazine, and the editor in chief of China computer security net and Guangguang net.