An unidentified mysterious threat actor has been attempting to add new servers to the Tor network, with the intention of carrying out SSL Stripping attacks on users of Tor browsers and Tor relays.


What’s happening?

Since the beginning of the year, the group has been trying to take control over the Tor network via Tor exit relays.
  • When a Tor browser user accesses any cryptocurrency-related website, if the traffic happens to pass through the attacker-controlled Tor exit relays, the attacker could manipulate the traffic in their favor.
  • When a user makes any cryptocurrency transaction, the traffic is directed towards Bitcoin mixing services via Tor exit nodes.
  • By having control of these exit nodes, the attacker could replace the destination Bitcoin address of any cryptocurrency transaction, without the user’s knowledge, thus carrying out a man-in-the-middle attack.


Modus Operandi

  • While carrying out the man-in-the-middle attack, attackers leveraged the SSL stripping method, in which they downgraded the targeted web traffic from HTTPS URLs to lesser secure HTTP requests
  • Within these HTTP requests, attackers would replace the Bitcoin addresses entered by the users that are going to Bitcoin mixing services, thus effectively hijacking the transaction without the user’s knowledge.


The scale of the attack campaign

  • As of May 22, 2020, the threat actor had control of over 23.95% of all Tor exit relays (380 servers), thus giving them the chance to control approximately one in every four transactions.
  • When identified, the Tor team made interventions to cut-off the malicious servers. However, it is believed that as of Aug 8, these attackers are still running more than 10% of Tor network exit capacity.


Tipping points

To date, there is a lack of strict security checks on what entities can join the Tor network, due to which such attacks may be expected to continue in the future as well. Besides man-in-the-middle attacks, users need to be cautious about the risks related to recently disclosed vulnerabilities in Tor networks. Users should keep the Tor browser and all the associated modules updated with the latest patches and use capable anti-malware solutions and firewalls to stay protected.

Cyware Publisher

Publisher

Cyware