FBI, CISA Share Mitigation Guidance for Obfuscated Cyberattacks Via Tor

July 06, 2020 - The FBI and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency released a joint alert warning organizations of the threat of cyberattacks originating from Tor (The Onion Router), which allows hackers to anonymously perform cyberattacks and other malicious activities. 

Maintained by the Tor project, the software allows users to browse the internet anonymously, as it encrypts and routes requests through multiple relay nodes or layers. Tor is intended to “promote democracy and free anonymous use of the internet.” 

However, threat actors are leveraging Tor to conceal their identity and point of origin when engaging in “malicious cyber activity impacting the confidentiality, integrity, and availability of an organization’s information systems and data.”

The agencies warn Tor is being used to perform reconnaissance, gain access to victims’ systems, exfiltrate and manipulate data, and even take services offline through ransomware and denial-of-service attacks.

Further, the agencies have detected threat actors relaying their command and control (C2) server communications -- used to control malware-infected systems -- via Tor to hide the identity of the hackers’ servers. 

READ MORE: DHS CISA Alerts to OpenClinic GA Hospital Management System Flaws

“Using the Onion Routing Protocol, Tor software obfuscates a user’s identity from anyone seeking to monitor online activity (e.g., nation states, surveillance organizations, information security tools),” the agencies warned. 

“The use of Tor in this context allows threat actors to remain anonymous, making it difficult for network defenders and authorities to perform system recovery and respond to cyberattacks,” they added. “Organizations that do not take steps to block or monitor Tor traffic are at heightened risk of being targeted and exploited by threat actors hiding their identity and intentions using Tor.” 

In response, the agencies are urging organizations to assess the potential risk of compromise through Tor and to review their recommended mitigations to either block or closely monitor inbound and outbound traffic from known Tor nodes. 

The risk of malicious Tor activity varies by organizations, which means security leaders can determine risk by assessing the likelihood that a threat actor will target its systems and data, as well as the probability of a successful attack given the enterprise’s current mitigations and controls. 

As healthcare has remained a prime target for cybercriminal activity in recent years, security leaders should work to address the risk posed by Tor. The assessment should consider the legitimate reasons non-malicious users may need or prefer to use Tor to access the network, as well as an evaluation of mitigation against enterprise threats from advanced persistent threats (APTs). 

READ MORE: DHS CISA Urges Patch of Critical Palo Alto Pan-OS Vulnerability

Security leaders should also consider the potential risk of attack by moderately sophisticated attackers, and even low-skilled hackers, as all manner of cybercriminals have leveraged Tor to perform reconnaissance and cyberattacks in past attacks. 

In these attacks, hackers will first select a target, gather technical information through active and passive scanning and other means and identify weaknesses, before exploiting public-facing applications and additional attack methods. 

Standard security tools aren't enough to detect attacks through Tor. Security leaders should use a variety of network, endpoint, and security appliance logs to detect Tor use and possible malicious activity using indicator- and behavior-based analysis. 

“Using an indicator-based approach, network defenders can leverage security information and event management (SIEM) tools and other log analysis platforms to flag suspicious activities involving the IP addresses of Tor exit nodes,” the agencies explained. 

“The list of Tor exit node IP addresses is actively maintained by the Tor Project’s Exit List Service,” they added. "Organizations preferring bulk download may consider automated data ingest solutions, given the highly dynamic nature of the Tor exit list, which is updated hourly.” 

READ MORE: DHS CISA: Serious Vulnerabilities Found in 6 Medical Device Systems

In addition, security leaders should closely inspect any evidence of substantial transactions with Tor exit nodes, which can be found in netflow, packet capture (PCAP), and web server logs to detect malicious behavior. 

With a behavior-based approach, security leaders can search for the operational patterns of Tor client software and protocols, such as the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports. This can also include highly structured Domain Name Service (DNS) queries. 

“Organizations should research and enable the pre-existing Tor detection and mitigation capabilities within their existing endpoint and network security solutions, as these often employ effective detection logic,” the agencies urged. “Solutions such as web application firewalls, router firewalls, and host/network intrusion detection systems may already provide some level of Tor detection capability.” 

Lastly, key mitigation methods can be employed to reduce the risk of threat actors leveraging Tor for malicious activities. In the most restrictive approach, organizations can block all web traffic to and from public Tor entry and exit nodes. However, it won’t completely eliminate the threat, as “additional Tor network access points, or bridges, are not all listed publicly.” 

A less restrictive approach would tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes, ideal for organizations that don’t want to block legitimate traffic. For this method, organizations will need to employ “network monitoring and traffic analysis for traffic from those nodes, and then consider appropriate blocking.” 

A blended approach will require greater effort, but may provide organizations with flexibility. 

“Ultimately, each entity must consider its own internal thresholds and risk tolerance when determining a risk mitigation approach associated with Tor,” the agencies concluded. “Sophisticated threat actors may leverage additional anonymization technologies—such as virtual private networks (VPNs)—and configurable features within Tor—such as Tor bridges and pluggable transports—to circumvent detection and blocking.” 

“Blocking the use of known Tor nodes may not effectively mitigate all hazards but may protect against less sophisticated actors,” they added. “For example, blocking outbound traffic to known Tor entry nodes could have an appreciable impact in blocking less sophisticated malware from successfully beaconing out to hidden C2 machines obfuscated by Tor.”