Spike in suspicious traffic and TOR usage, says threat report
Solutionary has released its Security Engineering Research Team (SERT) Quarterly Threat Intelligence Report for Q3 2013, providing intelligence on key security threats observed and intelligence gathered over the period.
Key findings include:
- Tor traffic increased by 350 percent.
- Hacktivist campaigns continued to compromise and deface the websites of Israel- and European Union-based organizations.
- Phishing emails continued to be successful attack vectors, with attackers using them to launch APT campaigns.
- There has been an uptick in anomalous ICMP traffic outside the realm of normal activity based on the structure and frequency of packets.
Although it has been reported that surging Tor usage may be attributable to anti-NSA surveillance activities, SERT observed that the August and September surge in activity of the popular anonymizing service can also be attributed, to some extent, to a new variant of the Mevade malware family. Designed to use the Tor network to hide command and control servers, adoption gives attackers an advantage by deploying harder-to-detect malware. Organizations can find key indicators of this type of botnet activity as well as mitigation advice in the report.
The hacktivist campaigns OpUSA and OpIsraelReborn continued to compromise and deface Israel- and European Union-based organizations’ websites; the primary attack vectors consisted of spear phishing, Domain Name System (DNS) registry tampering, SQL injection, Cross-Site Scripting (XSS) and Distributed Denial of Service (DDoS) attacks.
Spear phishing attacks identified by SERT revealed that users still fall victim to phishing attacks despite the existence of anti-phishing awareness programs within organizations. While tactics and techniques have evolved over the years, this specific attack vector has maintained a very high success rate. Solutionary provides recommendations and insight in its report to help organizations mitigate this preventable threat, and offers examples of spoofed emails and scenarios to better prepare for this frequent attack.
Finally, the report summarizes a noticeable increase in ICMP traffic targeting monitored devices in the U.S. and Europe. While ICMP is designed for diagnostic and control purposes and it occurs in normal traffic, the SERT has identified traffic that is outside the realm of normal activity based on the structure and frequency of the packets. One such payload shared commonalities with the famed worm Nachi. While conclusions have not been cemented, the traffic shares attributes similar to previous attacks, and many previous attacks have been foreshadowed by an increase in similar anomalous activity.
For more details, download the report here (registration required).