The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) is warning enterprises of cyberattacks launched from the Tor network.
Threat actors leverage the Tor network to hide the real source of their attacks and avoid that their C2 infrastructure could be identified and shut down by
Attackers use Tor to carry out malicious activities including system compromise, data exfiltration, denial of service (DoS) attacks, and also reconnaissance.
CISA recommends organizations to adopt necessary measures to block and monitor Tor network traffic, to identify attacks in an early stage.
“The use of Tor in this context allows threat actors to remain anonymous, making it difficult for network defenders and authorities to perform system recovery and respond to cyberattacks. Organizations that do not take steps to block or monitor Tor traffic are at heightened risk of being targeted and exploited by threat actors hiding their identity and intentions using Tor.” reads the advisory published by CISA.
“The risk of being the target of malicious activity routed through Tor is unique to each organization. An organization should determine its individual risk by assessing the likelihood that a threat actor will target its systems or data and the probability of the threat actor’s success given current mitigations and controls,”
CISA recommends organizations to assess whether legitimate users need to use Tor for their activities.
Organizations should evaluate the mitigation actions to prevent threat actors to use Tor to carry out malicious activities.
Network defenders can leverage various network, endpoint, and security appliance logs to detect the Tor traffic, and potentially identify malicious activity involving Tor by using indicator- or behavior-based analysis.
Using an indicator-based approach, defenders can leverage security information and event management (SIEM) tools and other log analysis platforms to detect traffic from and to Tor exit nodes.
CISA also provides details about mitigation that enterprises should take to reduce the risks associated with attacks launched from the Tor, including:
“Sophisticated threat actors may leverage additional anonymization technologies—such as virtual private networks (VPNs)—and configurable features within Tor—such as Tor bridges and pluggable transports—to circumvent detection and blocking.” CISA concludes. “Blocking the use of known Tor nodes may not effectively mitigate all hazards but may protect against less sophisticated actors.”
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Tor network)
[adrotate banner=”5″]
[adrotate banner=”13″]
A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and…
As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement…
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
This website uses cookies.