A latest study on the dark web infrastructure has revealed that a malicious actor has managed to control over 27% of the complete Tor Network Exit. This has caused malicious Tor Exit Relays.
“The entity attacking Tor users is actively exploiting tor users since over a year and expanded the scale of their attacks to a new record level,” an independent security researcher who goes by the name nusenu said in a write-up published on Sunday. “The average exit fraction this entity controlled was above 14% throughout the past 12 months.”
This incident is the latest one brought in light following malicious activities of The Onion Router in December 2019. The attacks were believed to have begun in January 2020. The same researcher had first researched and documented in August 2020.
Tor (The Onion Router) is open-source software that enables anonymous communication on the internet. It conceals the source and the destination of a web request. It directs the network traffic via a series of relays for masking a user’s IP address and location from the surveillance or the traffic analysis. However, the middle relays take care of the incoming traffic on the The Onion Router network and pass it along. Tor Exit Relays are the final nodes through which the Tor traffic passes before it reaches its destination.
The exit nodes on the Tor network or the Tor Exit Relays have been corrupted earlier to inject malware like OnionDuke. However, this is the first time the single malicious threat actor has controlled such a vast fraction of the Tor exit nodes.
In August 2020, the hacker had maintained 380 malevolent Tor exit relays at its peak before the Tor directory could intervene to extract the nodes from the Tor network. After this, the incident took place earlier this year, where the cyber attacker had attempted to add more than 1,000 Tor exit relays that were detected in the second wave of the attacks.
The main aim of the attack, as stated by nusenu, is to conduct “person-in-the-middle” or man-in-the-middle attacks on The Onion Router users. They focused on manipulating the traffic as it flows through the vast network of Tor exit relays. It appears that the attacker had attempted to perform SSL Stripping for downgrading the traffic that headed towards the Bitcoin (BTC) mixer services or the Cryptocurrency tumbling services from the HTTPS to HTTP. The procedure had been carried out to replace the Bitcoin addresses and redirect the transactions from those addresses to the attacker’s wallets.
“If a user visited the HTTP version (i.e. the unencrypted, unauthenticated version) of one of these sites, they would prevent the site from redirecting the user to the HTTPS version (i.e. the encrypted, authenticated version) of the site,” the maintainers of Tor Project explained last August. “If the user didn’t notice that they hadn’t ended up on the HTTPS version of the site (no lock icon in the browser) and proceeded to send or receive sensitive information, this information could be intercepted by the attacker.”
For mitigating such malicious attacks, the The Onion Router Project had provided several recommendations. It includes –
- Urging the website administrators for enabling the HTTPS by default.
- Deploying the .onion sites for avoiding the exit nodes.
Furthermore, the company added that it is working on the “comprehensive fix” for disabling the plain HTTP in the Tor Browser.
“The risk of being the target of malicious activity routed through Tor is unique to each organization,” the U.S. Cybersecurity Security and Infrastructure Security Agency (CISA) said in an advisory in July 2020. “An organization should determine its individual risk by assessing the likelihood that a threat actor will target its systems or data and the probability of the threat actor’s success given current mitigations and controls.”
“Organizations should evaluate their mitigation decisions against threats to their organization from advanced persistent threats (APTs), moderately sophisticated attackers, and low-skilled individual hackers, all of whom have leveraged Tor to carry out reconnaissance and attacks in the past,” the agency added.
Source: The Hacker News
Disclaimer: Read the complete disclaimer here.