Onion Browsers Can Make You Cry

An IP address is a route to revealing the identity of a user. But, using the Tor browser, one can hide their identity from ISPs and web trackers. This applies to all genuine users and malicious hackers.

Making the headlines

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI recently alerted organizations against threats spurring out of the Tor anonymity network. Using Tor, cyber actors mask their identity while engaging in malicious activity. The agency has suggested to watch out for the inbound and outbound traffic generated from known Tor nodes.

Evaluating the risks

“Tor traffic is at heightened risk of being targeted and exploited by threat actors hiding their identity and intentions using Tor,” an excerpt from the CISA advisory reads.
  • Experts said that attackers exploit the anonymous network to carry out malicious activities, including data exfiltration, DDoS attacks, and reconnaissance.
  • Before dropping the malware, they ensure hiding the real attack sources and C2 infrastructure leveraging Tor.
  • Moreover, the use of Tor for malicious purposes makes it tough for a SOC team to perform system recovery and respond to attacks.

How does it work?

Attackers attempt to create a layer of anonymity as they grow control inside a compromised system.
  • In the pre-attack stage, they conduct active/passive scanning for targets, determine the domain and IP address of a potential victim, and look for suitable vulnerabilities.
  • Subsequently, attackers exploit public-facing applications, established connections via the hidden C&C server, perform data exfiltration, encryption, or DDoS.

For the organizations at risk, CISA said “malicious activity routed through Tor is unique to each organization.” It further stated that each entity should individually determine the risks by assessing the chances of a threat actor infiltrating the systems under the present security standards.

Mitigation techniques

Indicator- or behavior-based analysis at various network endpoints and appliances can help security teams detect malicious Tor traffic. To combat Tor-based threats, CISA recommends:
  • Organizations should assess whether a staff needs to use Tor for their activities;
  • Block all web traffic to and from public Tor nodes if your organization doesn’t need it at all;
  • Restrict all Tor traffic to harmful resources, while monitoring the rest more often.

The bottom line

While Tor promotes privacy, its anonymity features pave the way for malicious actors to inflict harm on daily users. As per CISA, an organization must take precautionary measures to defend itself against cybercriminals, while also reporting suspicious activities to authorities in a timely manner.