Table of Contents
According to a new report on dark web infrastructure, an unknown threat actor controlled more than 27% of the entire Tor network exit bandwidth in early February 2021.
“The group targeting Tor users has been systematically manipulating Tor users for over a year and has increased the scope of their attacks to a new record level,” an independent security researcher known as nusenu wrote on Sunday. “During the previous 12 months, this entity’s total exit fraction was above 14 percent.”
It’s the latest in a series of attempts since December 2019 to bring malicious Tor activity to light. The attacks, which began in January 2020, were first reported and revealed in August 2020 by the same researcher.
Tor is an open-source program that allows users to communicate anonymously over the Internet. It masks a user’s IP address, location, and use from surveillance or traffic analysis by directing network traffic through a series of relays. An exit relay is the final node that Tor traffic passes through before it reaches its destination. While middle relays normally receive traffic on the Tor network and pass it along, an exit relay is the final node that Tor traffic passes through before it reaches its destination.
Tor exit nodes have been hacked in the past to insert malware like OnionDuke, but this is the first time a single unidentified attacker has taken control of such a large number of Tor exit nodes.
The hacking entity had 380 malicious Tor exit relays at its peak in August 2020, until the Tor directory authorities interfered to remove the nodes from the network. Operation then peaked again early this year, with the attacker attempting to install over 1,000 exit relays in the first week of May. During the second wave of attacks, all malicious Tor exit relays were discovered and deleted.
According to nusenu, the main goal of the attack is to conduct “man-in-the-middle” attacks on Tor users by manipulating traffic as it passes through its network of exit relays. In order to replace bitcoin addresses and redirect transactions to their wallets instead of the user-provided bitcoin address, the attacker tends to conduct what’s known as SSL stripping to downgrade traffic going to Bitcoin mixer services from HTTPS to HTTP.
“If a user visits the HTTP version (i.e. the unencrypted, unauthenticated version) of one of these pages, they can prevent the site from redirecting the user to the HTTPS version (i.e. the encrypted, authenticated version),” Tor Project maintainers clarified in August. “If a user didn’t realize they weren’t on the HTTPS version of the site (no lock icon in the browser) and proceeded to send or receive sensitive information, the attacker might intercept that information.”
The Tor Project has issued a range of guidelines to counter such attacks, including advising website administrators to allow HTTPS by default and deploy.onion sites to prevent exit nodes, as well as working on a “comprehensive patch” to disable plain HTTP in Tor Browser.
In a July 2020 advisory, the US Cybersecurity Security and Infrastructure Security Agency (CISA) said, “The risk of being the victim of malicious activity routed via Tor is unique to each organization. An organization’s individual risk should be assessed by determining the likelihood that a threat actor will threaten its systems or data, as well as the likelihood of the threat actor’s success given current mitigations and controls. Organizations should weigh their mitigation decisions against advanced persistent threats (APTs), moderately sophisticated attackers, and low-skilled individual hackers, all of whom have used Tor for surveillance and attacks in the past.”