Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/4/2013
10:37 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Solutionary Q3 Threat Intel Report: Phishing, Tor, Hacktivism And Spike In Suspicious Traffic

Among the key findings, Tor traffic increased by 350 percent

OMAHA, Neb.--Oct. 29, 2013 -- Solutionary, the leading pure-play managed security services provider (MSSP), today announced that it has released its Security Engineering Research Team (SERT) Quarterly Threat Intelligence Report for Q3 2013, providing intelligence on key security threats observed and intelligence gathered over the period. The report provides follow-up on OpUSA, OpIsraelReborn and Operation Ababil Phase Four; information about the unanticipated spike in usage of The Onion Router (Tor); and observes that despite increased awareness of phishing, related attacks remain effective. Additionally, the report reveals that there has been an increase in Internet Control Message Protocol (ICMP) traffic originating primarily from China, the United States and Romania, which is consistent with past traffic associated with previous security events.

Key Findings

· Tor traffic increased by 350%, likely due to attackers using it to shield botnet traffic and possible attempts to defend against NSA surveillance.

· Hacktivist campaigns continued to compromise and deface the websites of Israel- and European Union-based organizations.

· Phishing emails continued to be successful attack vectors, with attackers using them to launch APT campaigns.

· There has been an uptick in anomalous ICMP traffic outside the realm of normal activity based on the structure and frequency of packets. One such payload shared commonalities with the famed worm Nachi, with the top three countries of traffic origin being China, the U.S. and Romania.

Tor Usage Spikes

Although it has been reported that surging Tor usage may be attributable to anti-NSA surveillance activities, SERT observed that the August and September surge in activity of the popular anonymizing service can also be attributed, to some extent, to a new variant of the Mevade malware family. Designed to use the Tor network to hide command and control servers, adoption gives attackers an advantage by deploying harder-to-detect malware. Organizations can find key indicators of this type of botnet activity as well as mitigation advice in the report.

Hacktivist Campaigns

The hacktivist campaigns OpUSA and OpIsraelReborn continued to compromise and deface Israel- and European Union-based organizations' websites; the primary attack vectors consisted of spear phishing, Domain Name System (DNS) registry tampering, SQL injection, Cross-Site Scripting (XSS) and Distributed Denial of Service (DDoS) attacks.

Spear Phishing Remains Effective

Spear phishing attacks identified by SERT revealed that users still fall victim to phishing attacks despite the existence of anti-phishing awareness programs within organizations. While tactics and techniques have evolved over the years, this specific attack vector has maintained a very high success rate. Solutionary provides recommendations and insight in its report to help organizations mitigate this preventable threat, and offers examples of spoofed emails and scenarios to better prepare for this frequent attack.

Increase in ICMP Traffic Raises Red Flags

Finally, the report summarizes a noticeable increase in ICMP traffic targeting monitored devices in the U.S. and Europe. While ICMP is designed for diagnostic and control purposes and it occurs in normal traffic, the SERT has identified traffic that is outside the realm of normal activity based on the structure and frequency of the packets. One such payload shared commonalities with the famed worm Nachi. While conclusions have not been cemented, the traffic shares attributes similar to previous attacks, and many previous attacks have been foreshadowed by an increase in similar anomalous activity.

"This report reveals that the threat landscape continues to expand, making it a real challenge for organizations of all sizes to detect and defend against advanced attacks. Even organizations with established, mature security investments often come to realize they cannot provide effective security without the assistance of a trusted partner," said Solutionary SERT Director of Research Rob Kraus. "The findings and intelligence revealed in this report provide IT security and risk professionals with essential intelligence that will aid them in defending against advanced attacks that frequently lead to data breaches and compliance problems."

To access a copy of the complete report, please visit: http://www.solutionary.com/research/threat-reports/quarterly-threat-reports/sert-threat-intelligence-report-q3-2013

Visit our blog at http://blog.solutionary.com/.

Follow us on Twitter.

About Solutionary

Solutionary is the leading pure-play managed security service provider (MSSP), focused on delivering managed security services and global threat intelligence. Comprehensive Solutionary security monitoring and security device management services protect traditional and virtual IT infrastructures, cloud environments and mobile data. Solutionary clients are able to optimize current security programs, make informed security decisions, achieve regulatory compliance and reduce costs. The patented, cloud-based ActiveGuard® service platform uses multiple detection technologies and advanced analytics to protect against advanced threats. The Solutionary Security Engineering Research Team (SERT) researches the global threat landscape, providing actionable threat intelligence, enhanced threat detection and mitigating controls. Experienced, certified Solutionary security experts act as an extension of clients' internal teams, providing industry-leading client service to global enterprise and mid-market clients in a wide range of industries, including financial services, healthcare, retail and government. Services are delivered 24/7 through multiple state-of-the-art Security Operations Centers (SOCs).

For more information, visit www.solutionary.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.