1 min read

Threat Actor Compromised More than 25 Percent of Tor Network Relays, Research Shows

Silviu STAHIE

May 11, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Threat Actor Compromised More than 25 Percent of Tor Network Relays, Research Shows

Unknown actors took control over a quarter of all Tor network relays to launch man-in-the-middle attacks, target bitcoin addresses and much more.

Tor is a software that lets users obfuscate their network traffic by routing it automatically through numerous volunteer-operated relays worldwide. That traffic is typically encrypted, so intercepting it is not really an option, but the attacker did something more subtle.

Security researcher ‘nusenu’ published an extensive analysis of the threat actors’ actions in 2021, saying that it’s likely the most significant relay compromise to date, covering around 27 percent of Tor Network Relays, a conservative estimate.

One problem the researcher found relates to how the Tor browser deals with unsecure links. It turns out that the Tor browser is not HTTPS-only, which means that it can also display HTTP. Showing websites in plain text is a gold mine for attackers looking for valuable information.

The researcher also says the full nature of the attacks is not known, with a few exceptions.

“We know about mitmproxy, sslstrip, bitcoin address rewrites and download modification attacks but it is not possible to rule out other types of attacks. Imagine an attacker runs 27% of the tor network’s exit capacity and a firefox exploit affecting Tor Browser gets published before all users got their (auto)updates,” said nusenu.

The sslstrip and bitcoin address rewrite are interesting because it likely means that the attackers perform something called SSL stripping, forcing victims to use an HTTP version for cryptocurrency mixing service, exposing the addresses to the attacker. This leaves them open to redirect funds to their wallets.

The researcher also published several possible mitigations, such as moving Tor to an HTTPS-only version, but that isn’t easy to achieve right now. He also proposed a few measures that would make it easier to verify when the relays are tainted.

The few available indicators seem to show that the attacker is operating out of Russia, but it’s difficult to verify that information.

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Unknown Person Zoom-Bombs Meeting in Italian Parliament and Blasts Anime Adult Content Unknown Person Zoom-Bombs Meeting in Italian Parliament and Blasts Anime Adult Content
Silviu STAHIE

January 21, 2022

1 min read
FBI Links Diavol Ransomware to Trickbot, Offers IOCs and Mitigations FBI Links Diavol Ransomware to Trickbot, Offers IOCs and Mitigations
Filip TRUȚĂ

January 21, 2022

2 min read
Data of 500,000 already vulnerable people stolen from Red Cross Data of 500,000 already vulnerable people stolen from Red Cross
Radu CRAHMALIUC

January 20, 2022

1 min read