Hackers intercepted the Tor network by attaching malicious servers to perform SSL stripping attacks on cryptocurrency payments, an independent security researcher has revealed. The attacks targeted cryptocurrency-related traffic passing through the network.
The report by Nusenu says that Tor network users had a one in four chance of sending traffic through the compromised servers. At their peak operation around May 2020, the malicious group controlled about 380 Tor’s network exit relays. Tor responded by removing a huge chunk of the malicious servers from its network, but the full extent of the malicious operation remains unknown.
SSL stripping attacks on cryptocurrency payments through the Tor network
The attackers were “performing person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays,” the report says. Profit was the primary motive for the Tor network takeover by the attackers who carefully targeted users accessing cryptocurrency-related websites through the Tor Browser or related software.
To execute the attack, the cybercriminals downgraded users’ requests from HTTPs to HTTP traffic which allowed them access to unencrypted cryptocurrency payments without triggering TLS certificate warnings. The malicious entities then replaced Bitcoin addresses with their destinations. The affected cryptocurrency payments took place through Bitcoin mixing services. Such transactions involve breaking cryptocurrency payments into small sums before sending them through different addresses. On reaching the destination, the funds are consolidated into a single amount. However, the Bitcoin address rewriting attacks allowed the hackers to intercept the small cryptocurrency payments and to reroute the payments to their wallets, thus stealing bitcoins without the users’ or the mixers’ knowledge.
Tor team faces challenges in verifying relay operators
Tor project team is facing verification challenges because of the current COVID-19 crisis which has affected the company’s resources due to worker layoffs. The low staff levels had affected the team’s ability to verify all relay operators on the Tor network, creating an opportunity for abuse.
The Tor network team has not been able to track trusted relay operators throughout their presence on the Tor network. Consequently, malicious operators could register as genuine providers before executing attacks.
Reasons for the success of SSL stripping attacks
The threat actors relied on users’ weaknesses in distinguishing between “https://” and “http://” on the Tor browser’s address bar. Additionally, most users rarely type the full address, hence exposing their requests to unsafe redirects. Website owners also fail to enforce HTTPS redirects, thus opening their websites to both encrypted and unencrypted access.
The Tor network team has advised webmasters to enable the HTTP Strict Transport Security (HSTS) functionality. Additionally, the group advised owners of unencrypted websites to install various free SSL certificates, such as the “Let’s Encrypt” certificate, to protect their customers from similar exploits.
Risk of similar attacks remains high
While the current exploit targeted cryptocurrency payments only, criminals could use similar tactics to target any traffic passing through the Tor network.
Similarly, the Tor network team has failed to remove the malicious servers entirely. Experts claim that up to 10% of the malicious relays remain within the Tor network. The independent researcher also believes that the malicious entities have adopted other tactics to target cryptocurrency payments within the Tor network while evading detection.