A mysterious group has hijacked Tor exit nodes to perform SSL stripping attacks

mood · Aug 10, 2020

A mysterious group has hijacked Tor exit nodes to perform SSL stripping attacks
Group still controls 10% of all Tor exit nodes today
August 10, 2020
https://www.zdnet.com/article/a-mys...-exit-nodes-to-perform-ssl-stripping-attacks/

Since January 2020, a mysterious threat actor has been adding servers to the Tor network in order to perform SSL stripping attacks on users accessing cryptocurrency-related sites through the Tor Browser.
The group has been so prodigious and persistent in their attacks, that by May 2020, they ran a quarter of all Tor exit relays — the servers through which user traffic leaves the Tor network and accesses the public internet.

According to a report published on Sunday by an independent security researcher and Tor server operator known as Nusenu, the group managed 380 malicious Tor exit relays at its peak, before the Tor team made the first of three interventions to cull this network.
SSL STRIPPING ATTACKS ON BITCOIN USERS
"The full extend[sic] of their operations is unknown, but one motivation appears to be plain and simple: profit," Nusenu wrote over the weekend.
Click to expand...

How Malicious Tor Relays are Exploiting Users in 2020 (Part I)

In December 2019 I wrote about The Growing Problem of Malicious Relays on the Tor Network with the motivation to rise awareness and to improve the situation over time. Unfortunately instead of improving, things have become even worse, specifically when it comes to malicious Tor exit relay activity.
[...]
As an immediate countermeasure against this ongoing issue the Tor Project could require physical address verification for all new (joined in 2020) Tor relay operators that run more than 0.5% of the Tor network’s exit or guard capacity.
Why 0.5%? It is a balance between the risk of malicious Tor relay capacity and the required effort for verification.
Click to expand...

Summary

Since the disclosure of large scale attacks on the Tor network malicious operator did run >10% of Tor’s guard capacity) in December 2019, no improvements with regards to malicious Tor relays have been implemented.

The malicious operator demonstrated to recover their capacity after initial removal attempts by Tor directory authorities.

The reoccurring events of large scale malicious Tor relay operations make it clear that current checks and approaches for bad-relays detection are insufficient to prevent such events from reoccurring and that the threat landscape for Tor users has changed.

Multiple specific countermeasures have been proposed to tackle the ongoing issue of malicious relay capacity.

Click to expand...

Palancar · Aug 11, 2020

I have done some extensive study on this subject as well. All the information above is directed at Crypto because of the profit from theft. It can apply to other areas quite easily. As one that employs Crypto countermeasures personally, may I simply suggest two surefire ways to cover ALL transactions. Regarding mixers, there are some reliable organizations the are full onion. Using onion servers front to back (6 servers) there is NO exit into clearnet so no data can be "picked off". Next, equally impactful, use a hardware wallet where the BTC address is displayed on the device itself. In this way the transaction is SIGNED in a way that ONLY the address on the device will be able to receive the transfer of coins. Not rocket science, but using these two simple methods assures you will not fall prey!

mirimir · Aug 12, 2020

Palancar said: ↑

Regarding mixers, there are some reliable organizations the are full onion. Using onion servers front to back (6 servers) there is NO exit into clearnet so no data can be "picked off".
Click to expand...

Huh, I thought that everyone knew to do that

mood · Aug 14, 2020

Tor security advisory: exit relays running sslstrip in May and June 2020
August 14, 2020
https://blog.torproject.org/bad-exit-relays-may-june-2020

In May 2020 we found a group of Tor exit relays that were messing with exit traffic. Specifically, they left almost all exit traffic alone, and they intercepted connections to a small number of cryptocurrency exchange websites. If a user visited the HTTP version (i.e. the unencrypted, unauthenticated version) of one of these sites, they would prevent the site from redirecting the user to the HTTPS version (i.e. the encrypted, authenticated version) of the site

We removed these attacking relays from the Tor network in May 2020. In June 2020 we found another group of relays doing a similar attack, and we removed those relays too.
This situation is a good reminder that HTTP requests are unencrypted and unauthenticated, and thus are still prone to attack. Tor Browser includes HTTPS-Everywhere to mitigate that risk, but it is only partially successful because it doesn’t list every website on the internet.
Click to expand...

Mitigating this kind of attack going forward
There are two pieces to mitigating this particular attack: the first piece involves steps that users and websites can do to make themselves safer, and the second piece is about identifying and protecting against relays that try to undermine the security of the Tor network.

For the website side, we would like to take the opportunity to raise the importance for website admins to always 1. Enable HTTPS for their sites (folks can get free certificates with Let's Encrypt), and to 2. Make sure they have a redirect rule for their site added to HTTPS-Everywhere, so their users use a safe connection preemptively, rather than relying on getting redirected after making an unsafe connection.
Click to expand...

Additionally, for web services interested in avoiding exit nodes entirely, we're asking companies and organizations to deploy onion sites.
Click to expand...

Log in or Sign up

A mysterious group has hijacked Tor exit nodes to perform SSL stripping attacks

mood Updates Team

Palancar Registered Member

mirimir Registered Member

mood Updates Team

Log in or Sign up

A mysterious group has hijacked Tor exit nodes to perform SSL stripping attacks

mood Updates Team

Palancar Registered Member

mirimir Registered Member

mood Updates Team

Useful Searches