In an alert this week, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned enterprises about the use of Tor in cyberattacks.
Maintained by non-profit organization Tor Project, the Tor software and the underlying infrastructure are meant to provide users with anonymity and the means to bypass censorship by encrypting requests and routing them via multiple nodes.
However, cybercriminals and other threat actors abuse Tor for anonymity and obfuscation, to conceal their identity when conducting cyber-operations. With Tor, the online activity of a user appears to originate from the IP address of a Tor exit node instead of their own IP address.
Types of malicious activity conducted using Tor includes reconnaissance, system compromise, data exfiltration, denial of service (DoS) attacks, and ransomware delivery. Furthermore, Tor is often leveraged for command and control (C&C) server communication.
The use of Tor ensures that the identity of adversaries remains hidden, and also hinders recovery and response to cyberattacks. Thus, organizations are advised to apply necessary measures to block and monitor all traffic to and from the Tor network, to identify targeting and exploitation.
“The risk of being the target of malicious activity routed through Tor is unique to each organization. An organization should determine its individual risk by assessing the likelihood that a threat actor will target its systems or data and the probability of the threat actor’s success given current mitigations and controls,” CISA says.
According to the agencies, an organization should assess whether legitimate users need Tor for their activities, and should also take into consideration the threat posed by attackers, ranging from low-skilled hackers to advanced persistent threats (APTs).
In order to detect malicious activity that leverages Tor, defenders can use indicator- or behavior-based analysis of network, endpoint, and security appliance logs. Security information and event management (SIEM) and other log analysis tools can help identify activities involving Tor exit nodes, all of which are included in a list maintained by the Tor Project’s Exit List Service.
CISA also lists mitigation steps enterprises should take to reduce the risks associated with adversaries using Tor, ranging from monitoring and analysis to completely blocking traffic to and from public Tor nodes. However, it also warns that the use of additional anonymization technologies by sophisticated attackers, such as virtual private networks (VPNs), might circumvent detection and blocking systems.