U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Discovered attacks to compromise TOR Network and De-Anonymize users

On July 4 2014 Tor Team discovered a group of malicious relays that they assume were trying to deanonymize Tor Network users with confirmation attack technique. Tor network is an excellent technology to ensure users’ online anonymity, thanks to the Tor network users can hide online activities, staying far from the prying eyes of governments and […]

Discovered attacks to compromise TOR Network and De-Anonymize users

On July 4 2014 Tor Team discovered a group of malicious relays that they assume were trying to deanonymize Tor Network users with confirmation attack technique.

Tor network is an excellent technology to ensure users’ online anonymity, thanks to the Tor network users can hide online activities, staying far from the prying eyes of governments and law enforcement. Recently, members of the Tor project warned their users about the presence of a critical vulnerability that was probably being used to de-anonymize the identity of users within Tor network. A few weeks ago, researchers  from Carnegie Mellon University’s computer emergency response team (Cert), Alexander Volynkin and Michael McCord, revealed that they are able to de-anonymize Tor users using a cheap equipment. Initially they planned to reveal their discovery during the next Black Hat Conference in August, but later they have announced that they will not participate in the conference. On July 30th, the website of the Tor project published a security advisory to reveal that early this month, on July 4th 2014, a group of relays suffered a cyber attack that was conducted probably to deanonymize users. The experts at Tor project noticed that bad actors were targeting relays to track users accessing Tor networks or access Tor hidden services.

“They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.”

The security advisory explains that bad actors were leveraging a critical flaw in Tor to modify protocol headers in order to perform a traffic confirmation attack and inject a special code into the protocol header used by attackers to compare certain metrics from relays to de-anonymize users. The advisory reports that 115 malicious fast non-exit relays (6.4% of whole Tor network) were involved in the attack, the servers were actively monitoring the relays on both ends of a Tor circuit in an effort to de-anonymize users. The malicious relays were running Tor version 50.7.0.0/16 or 204.45.0.0/16 and bad actors were using them trying to de-anonymize Tor users who visit and run so-called hidden services. The malicious relays joined the Tor network on January 30th 2014 and experts at Tor Project removed them from the network on July 4th 2014.

The members of Tor project team also advised hidden service operators to change the location of their hidden service.

While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected,” Tor said.

When users access the Tor network with Tor software, their IP address is not visible and it appears to the Internet as the IP address of a Tor exit relay, which can be anywhere.    Tor network exit relay

The members of the Tor project, explained that bad actors who conducted the confirmation attack were looking for users who fetched hidden service descriptors, this means that attackers were not able to see pages loaded by users neither whether users visited the hidden service they looked up.

“The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don’t know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.” states the security advisory.

In order to close the critical flaw Tor Project team is suggesting Tor Relay Operators to upgrade Tor software to a recent release, either 0.2.4.23 or 0.2.5.6-alpha.  Tor project released a software update to prevent such attacks. It seems to be a bad period for Tor network, and more in general for anonymizing network, recently a serious flaw was discovered in Tails distribution, allowing attacker to reveal the users’ identity, while the Russian Government has recently announced a competition offering $111,000 to break Tor encryption.

 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

Security Affairs –  (Tor networks, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]