Be aware enterprises, it’s time to block Tor network

A research conducted by the IBM X-Force team reveals that a growing number of cyber attacks against big IT enterprises relies on the Tor network.

With the increase of Tor-based attacks, something needs to change, and IBM is advising companies to start blocking Tor.

A research conducted by the IBM X-Force team reveals that SQL injection, distributed denial-of-service attacks and vulnerability reconnaissance activity are growing, and cyber criminals are exploiting the Tor network even more to protect their anonymity.

The reason why these attacks leveraging on the Tor network is that the popular anonymizing architecture allows attackers to mask their identity and make ineffective countermeasures based on the knowledge of the source of the offensive.

In the US only, in 2015, the number of cyber attacks and other malicious events that relied on the Tor network is 150.000, and experts speculate that this value will grow up until the end of the year.

Besides the fact that Tor is being used to anonymized the attackers identity, another factor emerges from the research, the Tor network is being used to target big IT and communications companies.

Researchers uncovered a number of targeted attacks affecting SCADA systems.

“They are specific targets,”, “They [the Tor-based attackers] are looking for information” said the senior threat researcher with IBM X-Force John Kuhn

“I tell companies to just block Tor for incoming and outgoing””It might have been a great tool at one time to [provide] privacy, but it’s not a place you want your corporate network to have any connection to.”

According to the expert the drastic measure is the unique effective from the perspective of a company which has no reason to allow the access to the Tor network (besides some specific cases that can be explicitly allowed).

The study of the X-Force team revealed that SQL injection is the most prevalent attack exploiting the Tor network due to the availability of applications like Havij.

“It’s really popular: it was intended for pen testers, but malicious actors use it constantly,” “We also saw a lot of blind SQL injection and pointed SQL injection, and a lot of vulnerability scanning.”

Tor is being used to hide the control infrastructure for botnets, making them resilient to the takeover operation conducted by security firm and law enforcement.

“What they’re doing is using a distributed method,”, “They issue a command from all those nodes and it spans from 100 to 150 exit nodes at once. So you get an onslaught of attacks from different Tor exit nodes.”.

“In general, networks should be configured to deny access to websites such as www.torproject.org or any other sites associated with anonymous proxies or anonymization services such as Tor and The Invisible Internet Project (I2P). Users should be warned that accessing prohibited websites could result in disciplinary action,”

However we cannot ignore the importance of the Tor network as an instrument to bypass the censorship applied by many governments.

The measure suggested by the IBM could be limited to corporate environments from attacks that rely on the Tor network.

With the increase of Tor-based attacks, something needs to change, and IBM is advising companies to start blocking Tor.

A research conducted by the IBM X-Force team reveals that SQL injection, distributed denial-of-service attacks and vulnerability reconnaissance activity are growing, and cyber criminals are exploiting the Tor network even more to protect their anonymity.

The reason why these attacks leveraging on the Tor network is that the popular anonymizing architecture allows attackers to mask their identity and make ineffective countermeasures based on the knowledge of the source of the offensive.

In the US only, in 2015, the number of cyber attacks and other malicious events that relied on the Tor network is 150.000, and experts speculate that this value will grow up until the end of the year.

Besides the fact that Tor is being used to anonymized the attackers identity, another factor emerges from the research, the Tor network is being used to target big IT and communications companies.

Researchers uncovered a number of targeted attacks affecting SCADA systems.

“They are specific targets,”, “They [the Tor-based attackers] are looking for information” said the senior threat researcher with IBM X-Force John Kuhn

“I tell companies to just block Tor for incoming and outgoing””It might have been a great tool at one time to [provide] privacy, but it’s not a place you want your corporate network to have any connection to.”

According to the expert the drastic measure is the unique effective from the perspective of a company which has no reason to allow the access to the Tor network (besides some specific cases that can be explicitly allowed).

The study of the X-Force team revealed that SQL injection is the most prevalent attack exploiting the Tor network due to the availability of applications like Havij.

“It’s really popular: it was intended for pen testers, but malicious actors use it constantly,” “We also saw a lot of blind SQL injection and pointed SQL injection, and a lot of vulnerability scanning.”

Tor is being used to hide the control infrastructure for botnets, making them resilient to the take over operation conducted by security firm and law enforcement.

“What they’re doing is using a distributed method,”, “They issue a command from all those nodes and it spans from 100 to 150 exit nodes at once. So you get an onslaught of attacks from different Tor exit nodes.”.

“In general, networks should be configured to deny access to websites such as www.torproject.org or any other sites associated with anonymous proxies or anonymization services such as Tor and The Invisible Internet Project (I2P). Users should be warned that accessing prohibited websites could result in disciplinary action,”

However we cannot ignore the importance of the Tor network as an instrument to bypass the censorship applied by many governments.

The measure suggested by the IBM could be limited to corporate environments from attacks that rely on the Tor network.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs – Tor network, cybercrime)