FBI and CISA Release Joint Advisory Concerning Threat of Malicious Cyber Activity Via Tor

The FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) released a joint warning lately concerning cybercriminals employing The Onion Router (Tor) in their cyberattacks.

The U.S. Navy created the Tor as a free, open-source software program in the 1990s. At this time, Tor is being employed to surf the net anonymously. The web activity of a person that is using the Tor network can’t be quickly tracked back to their IP address. Any time a Tor user visits a webpage, the IP address of the exit node he went through is logged instead of his own IP address.

Considering anonymity made available by Tor, as expected, a lot of threat actors have used it to cover their specific location and IP address and perform cyberattacks and other harmful actions without a trace. Cybercriminals are employing Tor to do spy on targets, execute cyberattacks, access and exfiltrate information, and install malware, ransomware, and perform Denial of Service (DoS) attacks. As per the advisory, cybercriminals are employing Tor too to communicate commands to ransomware and malware via their command and control servers (C2).

Because malicious actions could be executed anonymously, it is tricky for system defenders to act in response to attacks and carry out system recovery. CISA and the FBI suggest that companies carry out a risk evaluation to determine their possibility of compromise by means of Tor. The risk linked to Tor is going to be unique for each company therefore a review ought to ascertain the possibility of an attack by means of Tor, and the likelihood of success granted the mitigations and security controls that were used. Before making a decision whether or not to deter Tor traffic, it is necessary to review the factors why genuine users may be deciding to employ Tor to visit the network. Hindering Tor traffic is going to boost security although it will at the same time stop legit users of Tor from going to the network.

CISA and the FBI stated that a variety of diverse threat actors are making use of Tor in past times. There were nation-state sponsored Advanced Persistent Threat (APT) actors and/or low skill attackers. Businesses that do nothing to either stop inbound and outbound traffic by using Tor or keep an eye on traffic from Tor nodes intently are going to be at a higher danger of getting attacked.

In these Tor attacks, reconnaissance is performed, targets are picked, and active and passive scans are completed to track down vulnerabilities in public-facing programs which may be used in anonymous attacks. Basic security tools aren’t enough to locate and deter attacks, rather a selection of security solutions should be carried out and recording ought to be enabled for reviewing likely malicious activity employing both indicator and behavior-dependent reviews.

The report explained that employing an indicator-based method, network defenders could seek out security information and event management (SIEM) applications and other log review platforms to tag suspicious activities associating with the IP addresses of Tor exit nodes. The Tor Project’s Exit List Service keeps a listing of all Tor exit node IP addresses, which are downloadable. Security teams could utilize the listing to pinpoint any considerable transactions related to those IP addresses by looking at their packet capture (PCAP), web server logs and NetFlow.

When utilizing a behavior-based method, network defenders could show suspicious Tor activity by seeking the operational behavior of Tor client software and protocols, including User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) ports.

FBI and CISA suggest that companies need to research and allow the pre-existing Tor recognition and mitigation capabilities inside their present endpoint and network security options, as these frequently use effective detection logic. Options like web app firewalls, router firewalls, and network/host intrusion detection systems may actually give a certain degree of Tor detection function.

Though lowering the threat is likely by barring all Tor net traffic, this extremely restrictive tactic will not entirely eradicate risk as added Tor network access points aren’t all posted freely. This method will likewise deter legit Tor traffic. Customize monitoring, examination, and rejection of web traffic to and from open Tor entry and exit nodes could be a more effective solution, even though this tactic is very likely to be resource-demanding.

Specifics of how to deter, monitor and review Tor traffic are given in the advisory, a PDF copy may be downloaded on this page.