Hackers hijack Tor exit nodes for SSL striping attacks

They exchange bitcoin addresses for HTTP traffic. So they redirect Bitcoin transactions to their own addresses. The unknown group of hackers now controls almost 25 percent of all exit nodes in the Tor network.

An unknown group of hackers has been attacking the Tor anonymization network since January of this year. She adds exit nodes to Tor to attack cryptocurrency website users using SSL striping. In May, the group temporarily operated almost a quarter of all exit relays, i.e. the servers through which user traffic leaves the Tor network and re-enters the public Internet.

Tor: The Onion Router (Image: Tor)The independent security researcher Nusenu, who runs a Tor server himself, is working on the group. According to him, the hackers now managed 380 malicious Tor Exit Relays. Interventions by the goal team have since reduced this number.

“The full extent of the operation is not known, but one motivation seems to be clear: profit,” writes Nusenu in a blog post. According to him, the hackers manipulate the traffic that is routed through their exit nodes. Using SSL striping, they tried to downgrade the HTTPS data traffic to an unsecured HTTP connection. Their actual goal is to exchange Bitcoin addresses in the HTTP traffic of so-called Bitcoin Mixing Services.

Bitcoin mixers are websites that allow users to send bitcoins from one address to another by splitting the sum into many small partial amounts and routing them over thousands of addresses before they are reassembled at the actual recipient. If the target addresses are exchanged in the HTTP traffic, the attackers can effectively redirect the transactions without the sender or the Bitcoin mixer noticing.

By analyzing the contact email addresses of the malicious Tor servers, the researcher found that the hackers had managed at least nine exit relay clusters in the past seven months. In May he reported this to the Tor administrators for the first time. Most recently, harmful exit nodes were switched off on June 21, which severely restricted the attackers’ options.

Nusenu currently assumes that more than 10 percent of all currently active exit nodes in the Tor network are still under the control of the hackers. He also assumes that they will continue their attacks because there is no secure test procedure for new participants in the Tor network – which is due to the claim to anonymity. Nusenu nevertheless demanded stricter controls for operators of exit nodes.

Proofpoint researchers discovered a similar attack back in 2018. At the same time, Tor2Web proxies were manipulated to also exchange Bitcoin addresses.

Slack collaboration platform: work efficiently – no matter where

Before COVID-19, remote work was almost unthinkable for many companies. Today they have recognized that it can work very well if the framework conditions are right. In this webinar you will learn how you can optimally react to the changed working conditions with the Slack collaboration solution.

Leave a Reply

Your email address will not be published. Required fields are marked *