FBI and CISA Issue Joint Warning Regarding Threat of Malicious Cyber Activity Using Tor

The FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) issued a joint advisory recently regarding cybercriminals using The Onion Router (Tor) in their attacks.

The U.S. Navy developed the Tor as a free, open-source program in the mid-1990s. Nowadays, Tor is being used to browse the web anonymously. The online activity of a user that is linked to the Tor network cannot be very easily traced back to their IP address. Whenever a Tor user goes to a website, the IP address of the exit node the user passed through is recorded rather than his own IP address.

Given the level of anonymity given by Tor, it’s not surprising, many threat actors have adopted it to conceal their position and IP address and execute cyberattacks and other malicious activities anonymously. Cybercriminals are utilizing Tor to perform observe on targets, perform cyberattacks, see and exfiltrate data, and deploy ransomware, malware, and do Denial of Service (DoS) attacks. Based on the alert, cybercriminals are utilizing Tor as well to pass on commands to malware and ransomware using their command and control servers (C2).

Considering that malicious activities may be done anonymously, it is difficult for network defenders to take action to attacks and complete system recovery. CISA and the FBI advise that businesses perform a risk analysis to identify their probability of compromise by using Tor. The risk associated with Tor will be distinct for each business thus an evaluation must identify the probability of an attack using Tor, and the possibility of success provided the mitigations and security controls that were set up. Before deciding whether to stop Tor traffic, it is crucial to evaluate the reasons why legit users may be opting to utilize Tor to access the network. Stopping Tor traffic will enhance security however it will likewise deter legitimate users of Tor from visiting the network.

CISA and the FBI mention that a range of different threat actors are utilizing Tor previously. There was nation-state sponsored Advanced Persistent Threat (APT) actors and individual hackers. Companies that don’t take action to either deter inbound and outbound traffic through Tor, or keep track of traffic from Tor nodes carefully, will be at a greater threat of being attacked.

In these attacks, reconnaissance is carried out, targets are chosen, and active and passive scans are done to determine vulnerabilities in public-facing apps that could be taken advantage of in anonymous attacks. Conventional security tools are not adequate to identify and stop attacks, instead, a variety of security solutions must be put in place and logging must be enabled for evaluation of possibly malicious activity utilizing both indicator and behavior- analyses.

The report stated that utilizing an indicator-based strategy, network defenders can make use of security information and event management (SIEM) resources and other log evaluation platforms to identify suspicious activities relating to the IP addresses of Tor exit nodes. The Tor Project’s Exit List Service maintains a record of all Tor exit node IP addresses, which may be downloaded. Security teams can employ the list to determine any sizeable transactions connected with those IP addresses by examining their packet capture (PCAP), NetFlow and web server logs.

If using a behavior-based strategy, network defenders can reveal suspicious Tor activity by looking for the operational patterns of Tor client software and protocols, like Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports.

FBI and CISA suggest that organizations must research and permit the pre-existing Tor identification and mitigation capabilities in their current endpoint and network security solutions, as these usually utilize effective detection logic. Solutions including web program firewalls, router firewalls, and host/network intrusion detection systems may already offer some level of Tor detection capability.

Although reducing the risk is possible by stopping all Tor web traffic, this remarkably restrictive strategy will not completely remove risk as more Tor network access points are not all stated openly. This strategy will additionally stop legitimate Tor traffic. Tailor monitoring, evaluation, and barring of web traffic to and from public Tor entry and exit nodes might be a far better solution, though this strategy is probably to be resource-intensive.

Particulars of how to obstruct, monitor and evaluate Tor traffic are presented in the alert, a PDF copy can be downloaded on this link.