Pierluigi Paganini July 05, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned enterprises about cyberattacks from the Tor network.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) is warning enterprises of cyberattacks launched from the Tor network.

Threat actors leverage the Tor network to hide the real source of their attacks and avoid that their C2 infrastructure could be identified and shut down by

Attackers use Tor to carry out malicious activities including system compromise, data exfiltration, denial of service (DoS) attacks, and also reconnaissance.

CISA recommends organizations to adopt necessary measures to block and monitor Tor network traffic, to identify attacks in an early stage.

“The use of Tor in this context allows threat actors to remain anonymous, making it difficult for network defenders and authorities to perform system recovery and respond to cyberattacks. Organizations that do not take steps to block or monitor Tor traffic are at heightened risk of being targeted and exploited by threat actors hiding their identity and intentions using Tor.” reads the advisory published by CISA.

“The risk of being the target of malicious activity routed through Tor is unique to each organization. An organization should determine its individual risk by assessing the likelihood that a threat actor will target its systems or data and the probability of the threat actor’s success given current mitigations and controls,”

CISA recommends organizations to assess whether legitimate users need to use Tor for their activities.

Organizations should evaluate the mitigation actions to prevent threat actors to use Tor to carry out malicious activities.

Network defenders can leverage various network, endpoint, and security appliance logs to detect the Tor traffic, and potentially identify malicious activity involving Tor by using indicator- or behavior-based analysis.

Using an indicator-based approach, defenders can leverage security information and event management (SIEM) tools and other log analysis platforms to detect traffic from and to Tor exit nodes.

CISA also provides details about mitigation that enterprises should take to reduce the risks associated with attacks launched from the Tor, including:

• Most restrictive approach: Block all web traffic to and from public Tor entry and exit nodes. 
• Less restrictive approach: Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes. 
• Blended approach: Block all Tor traffic to some resources, allow and monitor for others. 

“Sophisticated threat actors may leverage additional anonymization technologies—such as virtual private networks (VPNs)—and configurable features within Tor—such as Tor bridges and pluggable transports—to circumvent detection and blocking.” CISA concludes. “Blocking the use of known Tor nodes may not effectively mitigate all hazards but may protect against less sophisticated actors.”

Pierluigi Paganini

(SecurityAffairs – hacking, Tor network)

[adrotate banner=”5″]

[adrotate banner=”13″]