Someone is running hundreds of malicious servers on the Tor network

Image for an article titled Someone runs hundreds of malicious servers on the Tor network and may de-anonymize users

Screenshot: Jody Serrano / Gizmodo / Tor Project

New research shows that someone runs hundreds of malicious servers on the Tor network, potentially in an attempt to de-anonymize users and unmask their web activity. As first published from The Record, the activity seems to come from one sophisticated and persistent user, WHO somehow it has the resources to run a bunch of high-bandwidth servers for years on end.

Also called the “Onion Router,” Tor may be global The most famous the online privacy platform and its software and associated network should protect your web browsing activity from surveillance by hiding your IP address and encrypting your traffic. The network, which was originally launched in 2002, has gained experience attack i malicious activity before, though, this recent activity seems to reveal a more cunning, less obvious actor than your typical cyber criminal.

The malicious servers were originally spotted by a security researcher who bears the pseudonym “nusenu” and who manages his own node on the Tor network. He their Medium, nusenu writes that they first discovered evidence of the actor in the threat – whom they called “KAX17” – back in 2019. After further research on KAX17, they discovered that they were active online back in 2017.

In essence, KAX seems to be launching large segments of Thor’s network – potentially hoping to be able to track the trajectory of certain web users and unmask them.

Understanding this requires quick refreshment how Thor works. Tor anonymizes users’ web activities by encrypting their traffic and then directing it through a series of different nodes – also called “relays” – before it reaches its final destination and is not encrypted. Node vendors should not be able to see your traffic, as Tor provides encryption and they only help in one of several parts of your traffic path (also called a “circle”).

However, since the nodes are within Thor’s network volunteer run, you don’t have to go through any background checks to run one – or several – of them, and it’s not uncommon for bad actors to set knots in hopes user attacks for one reason or another.

However, in the case of KAX17, the threat actor seems to have significantly better resources than your average discontent on the dark web: they have launched literally hundreds of malicious servers around the world – an activity that boils down to “running large parts of the tor network”. With this amount of activity, the chances that KAX can follow the circle of Tor users are relatively high, the researcher shows.

Indeed, according to Nusenu’s research, KAX had so many servers at one point – some 900 – that you had a 16 percent chance of using their relay as the first “hop” (i.e., a node in your circuit) when you log on to Tor. You had a 35 percent chance of using one of their relays during your second “jump,” and a 5 percent chance of using them as an output relay, nusenu writes.

There is also evidence that the threat actor participated in discussions on the Tor forum, during which they seem to have lobbied against administrative actions that would remove their servers from the network.

Despite this, the Tor authorities have apparently tried several times to get KAX17 off the net. Many of the threat actors’ servers were removed by the Tor directory authorities in October 2019. Then, just last month, the authorities removed them again. a large number of relays which looked suspicious and were linked to threats. However, in both cases, the actor seems to have returned immediately and started to reconstruct himself, writes Nusenu.

It is unclear who could be behind all this, but it seems that, whoever they are, they have a lot of resources. “We have no evidence that they are actually carrying out de-anonymization attacks, but they are in a position to do so.” writes nusenu. “The fact that someone is running such a large network of relays … is enough to sound all kinds of alarms.”

“Their actions and motives are not well understood,” he added.

We have contacted Tor Project to comment on this story and will update it if they respond.

Source link

Naveen Kumar

Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button