What are the countermeasures by Korea Internet & Security Agency(KISA) for the cyber attack on public institutions by the Chinese hacking group ‘Xiaoqiying’? 

An emergency has arisen in Korea during the Lunar new year season. The Chinese hacking group Xiaoqiying has announced a large-scale cyber attack on public institutions.Xiaoqiying hacked the homepages of 12 different academic institutions including the Korean language Society and disseminated personal information on the open source community Github.It has been revealed that a total of 161 people’s personal information was disclosed, including names, affiliations, IDs and passwords, mobile phone numbers, work phone numbers, workplace, home addresses, and more. Massive numbers of e-mail addresses from corporations such as POSCO, LG electronics, Samsung electronics, Hyundai steel, and Kumho tire were also confirmed to be included on the list of dissemination as well as government departments and public institutions’. As a result, the Korean Internet & Security Agency (KISA) urged victims to implement additional security measures and provided 157 private sector victims’ personal information to the related organizations and corporations to verify their validity. Meanwhile, the damage is still ongoing as 12 academic institution websites that were targeted by the hackers have yet to fully recover.Such cyber attacks emphasize the importance of having a proactive response through security systems, including security solutions for government agencies, public institutions, and private sector websites, as well as regular security checks and ongoing monitoring for vulnerabilities.

Private sector security guide by KISA

The Korean Internet & Security Agency (KISA) has issued a recommendation for the strengthening of private sector website security in response to a large-scale cyber attack warning from a Chinese hacking organization.

1. In the case of websites with a login function, it is necessary to regularly check for irregular access history and block abnormal IPs, and share it with relevant agencies.
2. A threshold should be set for the number of login attempts per IP and enhance unauthorized login blocks by using technology like CAPTCHA.

3. Enhance user account security with a password change and 2-factor authentication.

4. Recommend enhancing account security management for registered users:

• Avoid duplicating account information on multiple sites
• Set a complex password and change it every 3 months on a regular basis
• Enable 2-factor authentication through OTP, SMS, etc. in addition to ID and password
• In case of account information exposure, change the password for all sites using the same information.

5. Enhance the alert function such as SMS notification in case of changing important user information (phone bill, etc).

6. Request for maintenance of related services and security enhancement from outsourcing contractors.

Let’s find out the ways to enhance the security of public institutions and private sector websites by responding to various threats such as cyber-attacks and hacking according to the security guidelines of the Korean Internet & Security Agency (KISA).

Abnormal IP and unauthorized login block

Websites connected to the internet can be targeted by cyber attacks at any time regardless of their size. The implementation of security services to counter indiscriminate cyber attacks is a necessity, not a choice.
The most basic security measure for website security is the implementation of a “Web Application Firewall (WAF)”.Cloudbric WAF+ is a cloud-based web security service that can be quickly and easily implemented without any installation. In addition to WAF (Web Application Firewall) features, it provides five essential services for enterprises to build web security, such as SSL/TLS certificate, DDoS protection, bot control, blocking malicious IPs, etc.Especially by applying malicious IP information to a web application firewall (WAF), it is possible to block abnormal IPs and unauthorized logins to prevent cyber threats that may occur. Cloudbric WAF+ blocks malicious IPs based on threat intelligence collected from over 700,000 websites in 95 countries.Cloudbric WAF+ also features a logic-based detection engine and its own AI engine for robust security. The logic-based detection engine patented in 5 countries (US, Europe, Korea, Japan, and China) automatically detects and analyzes threats without the need for separate updates when new attacks occur. Cloudbric WAF+ accurately detects hidden or altered new web attack patterns by understanding the meaning and structure of data and has low false positive rates.>> Go to Cloudbric WAF+

Enhance account security with 2 factor authentication

Due to COVID-19, the work environment without time and location constraints, such as telecommuting and remote work, has become more common and companies are facing increasingly severe security threats. To protect the company’s network safely, only authorized users should be able to access it with strict verification, anywhere and anytime, with various devices.Cloudbric RAS (Remote Access Solution) is an agentless zero-trust network access (ZTNA) solution that provides fast and easy secure remote access without the need for downloads or complicated installations. Instead of traditional authentication with a device or IP address, it provides a safe remote access environment through user-centric enhanced authentication.In addition to ID and password for normal browser access, users can choose from additional authentication methods such as email address or OTP authentication to secure their accounts through two-factor authentication. Furthermore, for administrators, the integrated management screen allows for easy management by approving user authentication and monitoring the operating status.>> Go to Cloudbric RAS

DDoS Attack

Security threats are always around us and hacking isn’t the only threat. Along with various hacking incidents, Distributed Denial of Service (DDoS) attacks are also continuously occurring both domestically and internationally.In November 2022, the hacking group Killnet carried out a DDoS attack on major airport websites in the US, causing preparation for major website protection in Korea. DDoS is an attack that uses multiple systems to overload a web server. It is extremely important to have preventive measures in place, as all data on the web server can be deleted or information leaked due to a DDoS attack. Although DDoS attacks are becoming more sophisticated and complex every year, existing security measures cannot prevent all DDoS attacks, so it is necessary to prepare for new threats.Cloudbric ADDoS is a highly advanced DDoS defense service that collects, analyzes, and distributes DDoS attack intelligence based on edge computing technology, allowing for quick blocking of attacks from anywhere in the world. The service is capable of handling all forms of DDoS attacks, including frequent traditional attacks, multi-vector attacks, and application-level attacks. >> Go to Cloudbric ADDoS

Cyber attacks are constantly evolving year by year. To keep up with increasingly sophisticated security threats, protect valuable data for both public institutions and enterprises with Cloudbric’s cloud-based security solutions.

[Sources]

Korea Internet & Security Agency(KISA)
https://www.boho.or.kr/data/secNoticeView.do?bulletin_writing_sequence=67129Yonhap news
https://www.yna.co.kr/view/AKR20230125076600017Boan news
https://www.boannews.com/media/view.asp?idx=113708Hankyung
https://www.hankyung.com/international/article/2022110588357