author photo
By Clare O’Gara
Mon | Jul 6, 2020 | 9:04 AM PDT

Government officials are warning that Tor (The Onion Router) software is a double-edged sword.

What are Tor enabled cyber attacks?

On the surface, Tor is a great security resource.

The software allows users to browse the web anonymously through encryption and routing. This setup, managed by the Tor Project, promotes privacy and the free, democratic use of the internet.

But now, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI want cybersecurity professionals to watch out for this technology.

In a joint advisory, the government agencies explain how threat actors can use Tor to create a layer of anonymity and conceal malicious activity at different stages of network compromise.

The advisory includes examples of these stages, made possible through Tor:

  1. Performing reconnaissance
  2. Penetrating systems
  3. Exfiltrating and manipulating data
  4. Taking services offline through denial-of-service attacks and delivery of ransomware payloads

These risks require careful network monitoring:

"The use of Tor in this context allows threat actors to remain anonymous, making it difficult for network defenders and authorities to perform system recovery and respond to cyberattacks. Organizations that do not take steps to block or monitor Tor traffic are at heightened risk of being targeted and exploited by threat actors hiding their identity and intentions using Tor."

Tor cyber attacks viewed through ATT&CK

According to the advisory, the best way to watch for Tor-based attacks is to search for early warning signs.

CISA and the FBI break it down through the stages of ATT&CK. This system helps to distinguish early attack indicators from those when an attack is already underway.

Here are the early warning ATT&CK signs:

  • Target Selection
  • Technical Information Gathering: Conduct Active Scanning, Conduct Passive Scanning, Determine domain and IP address space, Identify security defensive capabilities
  • Technical Weakness Identification

And these are the ATT&CK underway indicators:

  • Initial Access: Exploit Public-Facing Applications
  • Command and Control: Commonly Used Port, Connection Proxy, Custom Command and Control Protocol, Custom Cryptographic Protocol, Multi-hop Proxy, Multilayer Encryption, Standard Application Layer Protocol
  • Exfiltration
  • Impact: Data Encrypted for Impact, Endpoint Denial of Service, Network Denial of Service

Staying aware of these stages can help organizations track and defend against Tor-based attacks.

Tor mitigation and defense techniques

But that's not all organizations can do to keep themselves safe, according to the advisory.

CISA and the FBI also include three levels of mitigation approaches to defending against these attacks:

  • Most restrictive approach: Block all web traffic to and from public Tor entry and exit nodes.
  • Less restrictive approach: Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes.
  • Blended approach: Block all Tor traffic to some resources, allow and monitor for others.

Interested in more information about Tor-based cyberattacks? See the complete advisory here.