IBM is warning companies to stop using the Tor anonymising network and completely block it from corporate networks to avoid being open to increasing ransomware and distributed denial of service (DDoS) attacks.
In a new threat intelligence report, IBM says that targeted ransomware is on the rise and that cybercriminals are increasingly making use of the Tor network to mask where the malware came from.
Tor (from The Onion Router project) is the name for software that anonymises and redirects internet traffic through a worldwide network of relays comprised of volunteers who set up their computers as Tor nodes. Because the data travelling between two nodes only contains the details of those nodes, the source and final destination are effectively anonymised and protected from interception. Tor enables hosting of websites that are not discoverable by conventional means such as through a Google or Bing search, or through directly entering a website URL.
These hidden sites form part of the Dark Web, which is perfect for cybercriminals, who put thousands of goods and services for sale on secret underground marketplaces, which include illegal drugs, chemicals, firearms and counterfeit goods, as well as adverts for services such as hacking, gambling and sports betting.
There are currently about 5,000 Tor servers worldwide operated by volunteers, and Tor is used by a wide range of people – from regular citizens concerned about their online privacy and security, to journalists, lawyers, human rights activists and hackers.
300,000 incidents in five months
"The design of routing obfuscation in the Tor network provides illicit actors with additional protection for their anonymity. It can also obscure the physical location from which attacks originate, and it allows attackers to make the attack appear to originate from a specific geography," IBM wrote in the report.
"Tor can serve as a proxy with exit points known as 'exit nodes' to allow users to anonymously browse web pages externally on the World Wide Web. This offers moderate anonymity to anyone wishing to hide their identity as well as encrypt communication back to their host computer or device."
Between January and May 2015, IBM noted that there were over 300,000 'events' where companies in the communications, finance and manufacturing industries suffered from cyberattacks that used Tor to mask their origins. The most popular country for a cyberattack to originate from, possibly because it has a greater number of Tor nodes, was the US, with 200,000 'events' occurring, followed by the Netherlands with 150,000 and Romania with 75,000.
At times, the malware attack is not directed at the company itself, but instead the cybercriminals seek to inject code into vulnerable web servers that serves end users accessing a website malicious links to websites that download ransomware onto the user's computer, such as the compromise of TV chef Jamie Oliver's website.
Tips on how to secure networks from Tor
IBM advises that companies configure their networks to block access to the Tor Project's website or any other websites associated with anonymising proxies. IT departments should also make sure that employees are not using unapproved encrypted proxy services, personal proxy services like VPNs or personal USB and SD card storage devices.
The BIOS of computers on the network must also be configured to only boot to the hard drive, and autorun must be disabled on all removable devices. "We are observing the start of a prolonged battle with ransomware, as ransomware attacks diversify from simple scams to more elaborate ones that target high-value communities or businesses," IBM wrote in its report.
"Corporate networks really have little choice but to block communications to these stealthy networks. The networks contain significant amounts of illegal and malicious activity. Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions."
110 Reykjavik, Iceland