TOR under attack by a persistent, high resource threat actor

[rcmaehl]

Summary

Someone(s) is attempting to de-anonymize TOR traffic. The attacker(s) own at least 900 global high bandwidth servers and make up 10% of all TOR servers.

 

Media

 

Quotes

Quote

someone has been running hundreds of malicious servers on the Tor network, potentially in an attempt to de-anonymize users and unmask their web activity. Emanating from one sophisticated and persistent tag, who somehow has the resources to run droves of high-bandwidth servers for years on end. The malicious servers were initially spotted by a security researcher... “nusenu” and who operates their own node on the Tor network. Nusenu writes that they first uncovered evidence of the threat actor... “KAX17"... back in 2019. After doing further research into KAX17, they discovered that they had been active on the network as far back as 2017. KAX appears to be running large segments of Tor’s network. Nodes within Tor’s network are volunteer-run, you don’t have to pass any sort of background check to run one—or several—of them  The chances that a Tor user’s circuit could be traced by KAX is relatively high. You had a 16 percent likelihood of using their relay as a first “hop” (i.e., node in your circuit) when you logged onto Tor. You had a 35 percent chance of using one of their relays during your 2nd “hop,” and a 5 percent chance of using them as an exit relay. There’s also evidence that the threat actor engaged in Tor forum discussions, during which they seem to have lobbied against administrative actions that would have removed their servers from the network. It’s unclear who might be behind all this, but it seems that, whoever they are, they have a lot of resources. “We have no evidence, that they are actually performing de-anonymization attacks, but they are in a position to do so,”

 

My thoughts

If you're interested in more technical details, I would REALLY recommend Nusenu's medium article, it's incredibly detailed. The attacker has been a bit sloppy, so there's a lot of tidbits of information here and there in their breakdown.

 

Sources

Gizmodo (Quote source)

The Record

Nusenu's Research (Media source, GRAPHS!)

[Lightwreather]

I have feeling it might be the FBI

/s

[StDragon]

TOR and I2P is typically blocked at the corporate firewall as it's used as a conduit to secure ransomware (among other forms of malware) communications back to a C&C remote server. While I get that people prefer anonymity, as someone whom has to protect networks, this is no big loss to me.

 

Now for private use at home or from a cell phone, that's another matter entirely.

[Mark Kaine]

honestly i don't understand the technical aspects fully, and i don't think that an approach like this is justified or a good idea, but why does everything has to be "anonymous"? ... this has led to some very questionable behavior and social changes in the last 20 years...  for example if someone calls you names or a "lier" why cant you just sue them for defamation... this is an offense and you should at least be eligible for compensation...

 

"Nah, bro, its just a prank" "you need thicker skin"...

 

yeah, sure but thats besides the point , this is simply not a healthy environment and there should be consequences of your doing, just because its "the internet" doesnt mean everyone (well, many) need to turn into vile trolls/bullies/stalkers  (especially a problem on so called "social platforms" like twitch, etc... the victims of such behavior are often almost helpless,  and why? Because "my anonymity, bro...")

 

 

 

 

[StDragon]

16 minutes ago, Mark Kaine said:

honestly i don't understand the technical aspects fully, and i don't think that an approach like this is justified or a good idea, but why does everything has to be "anonymous"? ... this has led to some very questionable behavior and social changes in the last 20 years...  for example if someone calls you names or a "lier" why cant you just sue them for defamation... this is an offense and you should at least be eligible for compensation...

 

"Nah, bro, its just a prank" "you need thicker skin"...

Like any tool, it can be abused.

 

There's legit reasons for anonymity such as avoiding persecution by Nation States and people looking to dox others. On the other hand, you have cowards conducting attacks also hiding behind the cloak of anonymity as well. Basically, you have to take the good with the bad.

[Fasterthannothing]

Yeah "someone" your already forgetting this? 

https://uk.pcmag.com/security/34274/black-hat-cancels-presentation-on-cracking-tor

 

https://www.theverge.com/2015/11/11/9719098/fbi-reportedly-paid-1-million-carnegie-mellon-tor

[jagdtigger]

13 minutes ago, SlidewaysZ said:

https://www.google.com/amp/s/www.theverge.com/platform/amp/2015/11/11/9719098/fbi-reportedly-paid-1-million-carnegie-mellon-tor

Please dont use amp links.....

https://www.theverge.com/2015/11/11/9719098/fbi-reportedly-paid-1-million-carnegie-mellon-tor

[leadeater]

1 hour ago, J-from-Nucleon said:

I have feeling it might be the FBI

FBI wouldn't be that obvious, clearly it's the IBF 

[rcmaehl]

16 minutes ago, leadeater said:

FBI wouldn't be that obvious, clearly it's the IBF 

Those damn boxers!

[Fasterthannothing]

2 hours ago, jagdtigger said:

Please dont use amp links.....

https://www.theverge.com/2015/11/11/9719098/fbi-reportedly-paid-1-million-carnegie-mellon-tor

Fixed those stupid links are everywhere

[Mark Kaine]

6 hours ago, Justaphysicsnerd said:

lets make passports mandatory for social media profiles

well its called "social"...  how can you be really social if dont actually know anyone...

 

 

8 hours ago, StDragon said:

Like any tool, it can be abused.

 

There's legit reasons for anonymity such as avoiding persecution by Nation States and people looking to dox others. On the other hand, you have cowards conducting attacks also hiding behind the cloak of anonymity as well. Basically, you have to take the good with the bad.

anonymity has a place for sure, but i wouldn't call it a tool, it just happens to be there... and why i wouldn't call it a tool... its not very useful when ironically states and governments are the ones that can most easily get around this anonymity... if any state wants to find out who you are this isnt a big challenge for them at all, you cant hide, its an illusion at best. But yes i agree there are 2 sides,  im just saying it shouldn't be that easy to hide in anonymity,  *especially* on social media... and we're going into that direction anyway,  see Australia,  italy (?? im not sure about that ??) yes China (only the most influential nation currently...) etc. Governments are slowly catching up, they don't like the negative aspects that come with anonymity at all, and for mostly good reasons.  Of course,  this may take decades and may never be ideal, but im just saying it should be easier for targets of bullying, doxing, stalking, etc to find out who the offending party actually is, this is very *difficult* currently,  not at least because "social" media often turns a blind eye on this and they rather "delete" the offensive content (destruction of evidence btw) instead of actually *helping* the victims.  

 

ps: the reality of this anonymity is toxic (and does more bad than good) and the people advocating for it dont seem to understand it fully or actually benefit from it, like fb and co.

 

"Surveys indicate that people's opinions about social media have markedly dropped in the past several years, driven in part by issues of harassment, bad behavior and terrorism that have overshadowed everything else Facebook, Twitter and Instagram are used for.

 

A root cause, Torvalds said, is anonymity.

"When you don't even put your real name on your garbage (or the garbage you share or like), it really doesn't help." Instead, he said, people shouldn't be able to share or like things without proving their identity first."

 

 

[StDragon]

3 minutes ago, Mark Kaine said:

ps: the reality of this anonymity is toxic (and does more bad than good) and the people advocating for it dont seem to understand it fully or actually benefit from it, like fb and co.

 

"Surveys indicate that people's opinions about social media have markedly dropped in the past several years, driven in part by issues of harassment, bad behavior and terrorism that have overshadowed everything else Facebook, Twitter and Instagram are used for.

None of this is new. Anyone that's been on old dial-up BBS systems can attest to that. The flame wars were pretty epic back then. Top quality stuff too. Not this watered down lame-ass shit that's on FB and twitter. I'm disappointed at the regression in creativity TBH. 

 

6 minutes ago, Mark Kaine said:

A root cause, Torvalds said, is anonymity.

"When you don't even put your real name on your garbage (or the garbage you share or like), it really doesn't help." Instead, he said, people shouldn't be able to share or like things without proving their identity first."

 

 

 

It's not Torvalds business who is allowed to share on the internet. It's up to the individual to trust the contents or not.

We practice defensive driving because you can't trust the other drivers all the time. Cyber Security should be all about defensive computing. It's up to YOU to trust and verify. Otherwise, eventually your own trust in others will be misplaced and taken advantage of; and no one wants to be in that situation.

[XPWasTheBestOne]

It's them dang glowies!

[Kadzo]

12 hours ago, Mark Kaine said:

anonymity has a place for sure, but i wouldn't call it a tool, it just happens to be there... and why i wouldn't call it a tool... its not very useful when ironically states and governments are the ones that can most easily get around this anonymity... if any state wants to find out who you are this isnt a big challenge for them at all, you cant hide, its an illusion at best. But yes i agree there are 2 sides,  im just saying it shouldn't be that easy to hide in anonymity,  *especially* on social media... and we're going into that direction anyway,  see Australia,  italy (?? im not sure about that ??) yes China (only the most influential nation currently...) etc. Governments are slowly catching up, they don't like the negative aspects that come with anonymity at all, and for mostly good reasons.  Of course,  this may take decades and may never be ideal, but im just saying it should be easier for targets of bullying, doxing, stalking, etc to find out who the offending party actually is, this is very *difficult* currently,  not at least because "social" media often turns a blind eye on this and they rather "delete" the offensive content (destruction of evidence btw) instead of actually *helping* the victims.  

ps: the reality of this anonymity is toxic (and does more bad than good) and the people advocating for it dont seem to understand it fully or actually benefit from it, like fb and co.

"Surveys indicate that people's opinions about social media have markedly dropped in the past several years, driven in part by issues of harassment, bad behavior and terrorism that have overshadowed everything else Facebook, Twitter and Instagram are used for.

A root cause, Torvalds said, is anonymity.

"When you don't even put your real name on your garbage (or the garbage you share or like), it really doesn't help." Instead, he said, people shouldn't be able to share or like things without proving their identity first."

But on the other when you live in a oppressive country and simply want your freedom or your rights, organising properly against the current regime requires anonymity. 

I am not discussing the purpose of  FB or Instagram or any other social media, i am discussing that there are still places in this world (including my country) where if you don`t have anonymity and you plan on organising any gathering (which by constitution you have the right to) bunch of goons will come to your door and treat you and your family to stop (and yes this happened last week here)

There is a lot of scum and anonymity can bring out the worst in humans that is a fact, but this time somebody is covertly trying to uncover stuff and connect your ID with your activity. 

Stuff like this will bring to rest of the world social credit like @Caroline mentioned in the dark aspect of a very real future we are heading.

[Franck]

21 hours ago, StDragon said:

TOR and I2P is typically blocked at the corporate firewall as it's used as a conduit to secure ransomware (among other forms of malware) communications back to a C&C remote server. While I get that people prefer anonymity, as someone whom has to protect networks, this is no big loss to me.

 

Now for private use at home or from a cell phone, that's another matter entirely.

I agree, for business it often an issue. Most company want to know what the employee do on the network. Either 2 choices, block all tor network or log where the user goes when using a TOR based browser.

[Ydfhlx]

On 12/7/2021 at 4:00 PM, J-from-Nucleon said:

have feeling it might be the FBI

/s

Why '/s'?

 

$100 says it's the US government, or a coalition of governments.

[rcmaehl]

On 12/8/2021 at 3:06 PM, Ydfhlx said:

Why '/s'?

 

$100 says it's the US government, or a coalition of governments.

Techlinked definitely thought so, but to be fair, the US Military itself uses TOR as it was developed with Navy Funding. 

[Wh0_Am_1]

On 12/7/2021 at 8:00 AM, J-from-Nucleon said:

I have feeling it might be the FBI

/s

That would be interesting as the TOR project was developed by the US Navy and has received support form the US Navy from what I can tell up until at least 2013

On 12/8/2021 at 1:06 PM, Ydfhlx said:

Why '/s'?

 

$100 says it's the US government, or a coalition of governments.

It's a possibility, and if it's right it would be ironic as TOR was developed with US tax payer dollars.

[Rauten]

37 minutes ago, Wh0_Am_1 said:

That would be interesting as the TOR project was developed by the US Navy and has received support form the US Navy from what I can tell up until at least 2013

It's a possibility, and if it's right it would be ironic as TOR was developed with US tax payer dollars.

I don't see it as ironic; rather, it almost feels like the end goal, similar to Google, Apple and Microsoft.

• Create platform/devices
• Get people on said platforms/devices
• Get all their data
• Profit

Though to be honest, there are quite a handful of entities that could be behind this. Any member of 5 eyes, China, Russia, any big tech company...
Hell, maybe it's being used by Kim Jong-Un to choose targets for their next missile test 

[mr moose]

On 12/8/2021 at 3:21 AM, leadeater said:

FBI wouldn't be that obvious, clearly it's the IBF 

Flowers By Irene.

 

 

[Jito463]

On 12/7/2021 at 5:43 PM, Mark Kaine said:

well its called "social"...  how can you be really social if dont actually know anyone...

If I want to be "social", I'll go see someone in person.