X
Tech

A mysterious group has hijacked Tor exit nodes to perform SSL stripping attacks

At one point, the group ran almost a quarter of all Tor exit nodes. Group still controls 10% of all Tor exit nodes today.
Written by Catalin Cimpanu, Contributor
Tor Browser

Since January 2020, a mysterious threat actor has been adding servers to the Tor network in order to perform SSL stripping attacks on users accessing cryptocurrency-related sites through the Tor Browser.

The group has been so prodigious and persistent in their attacks, that by May 2020, they ran a quarter of all Tor exit relays — the servers through which user traffic leaves the Tor network and accesses the public internet.

According to a report published on Sunday by an independent security researcher and Tor server operator known as Nusenu, the group managed 380 malicious Tor exit relays at its peak, before the Tor team made the first of three interventions to cull this network.

SSL stripping attacks on Bitcoin users

"The full extend[sic] of their operations is unknown, but one motivation appears to be plain and simple: profit," Nusenu wrote over the weekend.

The researcher says the group is performing " person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays," and that they are specifically targeting users accessing cryptocurrency-related websites using the Tor software or Tor Browser.

The goal of the person-in-the-middle attack is to execute "SSL stripping" attacks by downgrading the user's web traffic from HTTPS URLs to less secure HTTP alternatives.

Based on their investigation, Nusenu said the primary goal of these SSL stripping attacks was to allow the group to replace Bitcoin addresses inside HTTP traffic going to Bitcoin mixing services.

Bitcoin mixers are websites that allow users to send Bitcoin from one address to another by breaking the funds in small sums and transferring them through thousands of intermediary addresses before re-joining the funds at the destination address. By replacing the destination address at the HTTP traffic level, the attackers effectively hijacked the user's funds without the users or the Bitcoin mixer's knowledge.

A difficult attack to pull through

"Bitcoin address rewriting attacks are not new, but the scale of their operations is," the researcher said.

Nusenu said that based on the contact email address used for the malicious servers, they tracked at least nine different malicious Tor exit relay clusters, added across the past seven months.

tor-exit-malicious.png
Image: Nusenu

The researcher said the malicious network peaked at 380 servers on May 22, when 23.95% of all Tor exit relays were controlled by the group, giving Tor users a one-in-four chance of landing on a malicious exit relay.

Nusenu said he's been reporting the malicious exit relays to Tor admins since May, and after the latest takedown on June 21, the threat actor's capabilities have been severely reduced.

tor-exit-malicious-takedowns.png
Image: Nusenu

Nonetheless, Nusenu also added that since the last takedown "there are multiple indicators that suggest that the attacker still runs >10% of the Tor network exit capacity (as of 2020–08–08)."

The researcher suggested that the threat actor is likely to continue their attack as the Tor Project does not have a thorough vetting process in place for entities who can join its network. While anonymity is a core feature of the Tor network, the researcher argues that better vetting can be put in place for at least exit relay operators.

A similar attack took place in 2018

A somewhat similar attack like this one took place in 2018; however, it did not target Tor exit relays, but Tor-to-web (Tor2Web) proxies -- web portals on the public internet that allow users to access .onion addresses usually accessible only via the Tor Browser.

At the time, US security firm Proofpoint reported that at least one Tor-to-web proxy operator was silently replacing Bitcoin addresses for users accessing ransomware payment portals intending to pay ransom demands -- effectively hijacking the payment and leaving the victims without a decryption key, even if they paid the ransom.

Editorial standards