The Tor anonymisation network is increasingly used as the point of origin of attacks on public- and private-sector organisations, the report said.
The Threat Intelligence report noted increases in SQL injection and distributed denial-of-service attacks and of “ransomware” incidents that encrypt data belonging to an individual or an organisation, and then charge a fee to decrypt it.
The network is used for criminal purposes, such as operating contraband websites, and it is increasingly being used by attackers to hide their identities as they scan for vulnerabilities or carry out attacks, IBM said.
“The design of routing obfuscation in the Tor network provides illicit actors with additional protection for their anonymity. It can also obscure the physical location from which attacks originate, and it allows attackers to make the attack appear to originate from a specific geography.”
IBM said there had been a “steady increase” over the past few years in attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic.
“Spikes in Tor traffic can be directly tied to the activities of malicious botnets that either reside within the Tor network or use the Tor network as transport for their traffic,” IBM said in the report.
The US was the top geography of origin for Tor-based attacks, followed by the Netherlands and Romania, but this spread reflects the prevalence of Tor exit nodes rather than the actual location of attackers, according to the study.
Companies have “little choice” but to block Tor-based communications, IBM said.
IBM added that SQL injection attacks were increasing due to the growing use of simplified attack tools such as Havij, which was originally developed for security researchers.
The report also found a speedy development in ransomware, including the appearance of “ransomware as a service” and highly specialised attacks, such as those that target the local files of popular online games.
“We are observing the start of a prolonged battle with ransomware, as ransomware attacks diversify from simple scams to more elaborate ones that target high-value communities or businesses,” IBM stated.
A single ransomware tool, CryptoWall, has made attackers about $18 million (£11 million), according to FBI figures cited in the report.