Categories: Cyber CrimeHacking

Lizard Squad hit the Tor network, after Christmas attacks on Sony PSN and XBox Live networks

Members of the hacking group Lizard Squad, which have paralyzed the networks of Xbox live and PlayStation PSN, now have targeted the Tor network.

The hacking collective Lizard Squad that has paralyzed the Play Station Network and Xbox live networks at Christmas now seems to concentrate its efforts on the popular anonymizing Tor network.

In time I’m writing the Xbox live service is up, while PSN appears still down, but messages on the Internet seems to confirm an attack on the Tor network operated once again by Lizard Squad.

One of the Twitter account used by the collective confirmed to have stopped the DDoS against Sony PSN and XBox Live, while a new wave it targeting the Tor infrastructure.

“To clarify, we are no longer attacking PSN or Xbox. We are testing our new Tor 0day.” reads a tweet from @LizardMafia, one of the account used by Lizard Squad.

While it seems that the attacks stopped thanks to the intercession of Kim Dotcom, the popular team of Lizard Squad hit the Tor network introducing a ton of new relays in the overall network with the name “LizardNSA.”

“Someone who claims to be a part of Lizard Squad has set up a large number of Tor relays. That’s it,” said Runa A. Sandvik, an advocate with the Tor project.

The attack of Lizard Squad team against doesn’t affect the end-users because they haven’t targeted with DDoS any critical servers of the infrastructure (i.e. Directory authorities), but the introduction of news new relays could allow a persistent attacker to de-anonymize Tor users.

The Lizard Squad team has added over 3000 relays, nearly half of the total number, with serious repercussions on the users’ anonymity.

Tor Project tweeted the following statement just after the attack:

“This looks like a regular attempt at a Sybil attack: the attackers have signed up many new relays in hopes of becoming a large fraction of the network. But even though they are running thousands of new relays, their relays currently make up less than 1 per cent of the Tor network by capacity. We are working now to remove these relays from the network before they become a threat, and we don’t expect any anonymity or performance effects based on what we’ve seen so far.”

Nadim Kobeissi, who developed the chat client Cryptocat, posted the link to the Tor metrics that demonstrate that Lizard Squad added a significant number of “LizardNSA” relays.”Currently there’s actually almost 10,000 relays, about 3,000 to 6,000 of those seem to be Lizard Squad’s,” he said

Currently there’s actually almost 10,000 relays, about 3,000 to 6,000 of those seem to be Lizard Squad’s,” he said

Be aware, to be effective that new relays have to obtain enough consensus for the rest of the Tor network, as explained by Kobeissi and security researcher Frederic Jacobs to The Verge.

“The attack won’t be effective unless Lizard Squad’s relays obtain enough consensus with the rest of the network, which is currently not happening due to the newness of the relays and their low bandwidth allowance,” says Kobeissi.

In the past, the operators at the Tor Project warned of possible traffic confirmation attack against the Tor network.

On July 4 2014 Tor Team discovered a group of malicious relays that they assume were trying to de-anonymize Tor Network users with confirmation attack technique.

“The security advisory explains that bad actors were leveraging a critical flaw in Tor to modify protocol headers in order to perform a traffic confirmation attack and inject a special code into the protocol header used by attackers to compare certain metrics from relays to de-anonymize users. The advisory reports that 115 malicious fast non-exit relays (6.4% of whole Tor network) were involved in the attack, the servers were actively monitoring the relays on both ends of a Tor circuit in an effort to de-anonymize users. The malicious relays were running Tor version 50.7.0.0/16 or 204.45.0.0/16 and bad actors were using them trying to de-anonymize Tor users who visit and run so-called hidden services. The malicious relays joined the Tor network on January 30th 2014 and experts at Tor Project removed them from the network on July 4th 2014.”

The action run by Lizard Squad against the Tor networks seems to be a demonstrative act to alert on possible attacks run by law enforcement or Intelligence Agencies, the team team is inviting to carefully manage the way to add new relay servers to the network to avoid its poisoning.

“Hi, do you guys still give away shirts for relay owners? We need about 3000 @torproject,” tweeted @LizardMafia.

Stay tuned …

Pierluigi Paganini

(Security Affairs –  Tor network, Lizard Squad)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

18 mins ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

12 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

16 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

21 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.