Share this article on:
A joint alert was recently issued by the FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) regarding cybercriminals’ use of The Onion Router (Tor) in cyberattacks.
Tor is free, open source software that was developed by the U.S. Navy in the mid-1990s. Today, Tor is used to browse the internet anonymously. When using Tor, internet traffic is encrypted multiple times and a user is passed through a series of nodes in a random path to a destination server. When a user is connected to the Tor network, their online activity cannot easily be traced back to their IP address. When a Tor user accesses a website, rather than their own IP address being recorded, the IP address of the exit node is recorded.
Unsurprisingly, given the level of anonymity provided by Tor, it has been adopted by many threat actors to hide their location and IP address and conduct cyberattacks and other malicious activities anonymously. Cybercriminals are using Tor to perform reconnaissance on targets, conduct cyberattacks, view and exfiltrate data, and deploy malware, ransomware, and conduct Denial of Service (DoS) attacks. According to the alert, cybercriminals are also using Tor to relay commands to malware and ransomware through their command and control servers (C2).
Since malicious activities can be conducted anonymously, it is hard for network defenders to respond to attacks and perform system recovery. CISA and the FBI recommend that organizations conduct a risk assessment to identify their risk of compromise via Tor. The risk related to Tor will be different for each organization so an assessment should determine the likelihood of an attack via Tor, and the probability of success given the mitigations and security controls that have been put in place. Before a decision can be made about whether to block Tor traffic, it is important to assess the reasons why legitimate users may be choosing to use Tor to access the network. Blocking Tor traffic will improve security but will also block legitimate users of Tor from accessing the network.
CISA and the FBI warn that Tor has been used in the past by a range of different threat actors, from nation-state sponsored Advanced Persistent Threat (APT) actors to individual, low skill hackers. Organizations that do not take steps to either block inbound and outbound traffic via Tor, or monitor traffic from Tor nodes closely, will be at a heightened risk of being attacked.
In these attacks, reconnaissance is conducted, targets are selected, and active and passive scans are performed to identify vulnerabilities in public facing applications which can be exploited in anonymous attacks. Standard security tools are not sufficient to detect and block attacks, instead a range of security solutions need to be implemented and logging should be enabled to allow analysis of potentially malicious activity using both indicator and behavior-based analyses.
“Using an indicator-based approach, network defenders can leverage security information and event management (SIEM) tools and other log analysis platforms to flag suspicious activities involving the IP addresses of Tor exit nodes,” according to the report. A list of all Tor exit node IP addresses is maintained by the Tor Project’s Exit List Service, and these can be downloaded. Security teams can use the list to identify any substantial transactions associated with those IP addresses by analyzing their netflow, packet capture (PCAP), and web server logs.
“Using a behavior-based approach, network defenders can uncover suspicious Tor activity by searching for the operational patterns of Tor client software and protocols,” such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports.
“Organizations should research and enable the pre-existing Tor detection and mitigation capabilities within their existing endpoint and network security solutions, as these often employ effective detection logic. Solutions such as web application firewalls, router firewalls, and host/network intrusion detection systems may already provide some level of Tor detection capability,” suggest the FBI and CISA.
While it is possible to reduce risk by blocking all Tor web traffic, this highly restrictive approach will not totally eliminate risk as additional Tor network access points are not all listed publicly. This approach will also block legitimate Tor traffic. Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes may be a better solution, although this approach is likely to be resource intensive.
Details of how to block, monitor and analyze Tor traffic are provided in the alert, a PDF copy of which is available for download here.