Solutionary Q3 Threat Intel Report: Phishing, Tor, Hacktivism And Spike In Suspicious Traffic

Among the key findings, Tor traffic increased by 350 percent

November 4, 2013

4 Min Read


OMAHA, Neb.--Oct. 29, 2013 -- Solutionary, the leading pure-play managed security services provider (MSSP), today announced that it has released its Security Engineering Research Team (SERT) Quarterly Threat Intelligence Report for Q3 2013, providing intelligence on key security threats observed and intelligence gathered over the period. The report provides follow-up on OpUSA, OpIsraelReborn and Operation Ababil Phase Four; information about the unanticipated spike in usage of The Onion Router (Tor); and observes that despite increased awareness of phishing, related attacks remain effective. Additionally, the report reveals that there has been an increase in Internet Control Message Protocol (ICMP) traffic originating primarily from China, the United States and Romania, which is consistent with past traffic associated with previous security events.

Key Findings

· Tor traffic increased by 350%, likely due to attackers using it to shield botnet traffic and possible attempts to defend against NSA surveillance.

· Hacktivist campaigns continued to compromise and deface the websites of Israel- and European Union-based organizations.

· Phishing emails continued to be successful attack vectors, with attackers using them to launch APT campaigns.

· There has been an uptick in anomalous ICMP traffic outside the realm of normal activity based on the structure and frequency of packets. One such payload shared commonalities with the famed worm Nachi, with the top three countries of traffic origin being China, the U.S. and Romania.

Tor Usage Spikes

Although it has been reported that surging Tor usage may be attributable to anti-NSA surveillance activities, SERT observed that the August and September surge in activity of the popular anonymizing service can also be attributed, to some extent, to a new variant of the Mevade malware family. Designed to use the Tor network to hide command and control servers, adoption gives attackers an advantage by deploying harder-to-detect malware. Organizations can find key indicators of this type of botnet activity as well as mitigation advice in the report.

Hacktivist Campaigns

The hacktivist campaigns OpUSA and OpIsraelReborn continued to compromise and deface Israel- and European Union-based organizations' websites; the primary attack vectors consisted of spear phishing, Domain Name System (DNS) registry tampering, SQL injection, Cross-Site Scripting (XSS) and Distributed Denial of Service (DDoS) attacks.

Spear Phishing Remains Effective

Spear phishing attacks identified by SERT revealed that users still fall victim to phishing attacks despite the existence of anti-phishing awareness programs within organizations. While tactics and techniques have evolved over the years, this specific attack vector has maintained a very high success rate. Solutionary provides recommendations and insight in its report to help organizations mitigate this preventable threat, and offers examples of spoofed emails and scenarios to better prepare for this frequent attack.

Increase in ICMP Traffic Raises Red Flags

Finally, the report summarizes a noticeable increase in ICMP traffic targeting monitored devices in the U.S. and Europe. While ICMP is designed for diagnostic and control purposes and it occurs in normal traffic, the SERT has identified traffic that is outside the realm of normal activity based on the structure and frequency of the packets. One such payload shared commonalities with the famed worm Nachi. While conclusions have not been cemented, the traffic shares attributes similar to previous attacks, and many previous attacks have been foreshadowed by an increase in similar anomalous activity.

"This report reveals that the threat landscape continues to expand, making it a real challenge for organizations of all sizes to detect and defend against advanced attacks. Even organizations with established, mature security investments often come to realize they cannot provide effective security without the assistance of a trusted partner," said Solutionary SERT Director of Research Rob Kraus. "The findings and intelligence revealed in this report provide IT security and risk professionals with essential intelligence that will aid them in defending against advanced attacks that frequently lead to data breaches and compliance problems."

To access a copy of the complete report, please visit:

Visit our blog at

Follow us on Twitter.

About Solutionary

Solutionary is the leading pure-play managed security service provider (MSSP), focused on delivering managed security services and global threat intelligence. Comprehensive Solutionary security monitoring and security device management services protect traditional and virtual IT infrastructures, cloud environments and mobile data. Solutionary clients are able to optimize current security programs, make informed security decisions, achieve regulatory compliance and reduce costs. The patented, cloud-based ActiveGuard® service platform uses multiple detection technologies and advanced analytics to protect against advanced threats. The Solutionary Security Engineering Research Team (SERT) researches the global threat landscape, providing actionable threat intelligence, enhanced threat detection and mitigating controls. Experienced, certified Solutionary security experts act as an extension of clients' internal teams, providing industry-leading client service to global enterprise and mid-market clients in a wide range of industries, including financial services, healthcare, retail and government. Services are delivered 24/7 through multiple state-of-the-art Security Operations Centers (SOCs).

For more information, visit

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights