{"id":36548,"date":"2020-08-11T15:25:44","date_gmt":"2020-08-11T15:25:44","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/31478\/Tor-Exit-Nodes-Hijacked-To-Perform-SSL-stripping-Attacks.html"},"modified":"2020-08-11T15:25:44","modified_gmt":"2020-08-11T15:25:44","slug":"tor-exit-nodes-hijacked-to-perform-ssl-stripping-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/tor-exit-nodes-hijacked-to-perform-ssl-stripping-attacks\/","title":{"rendered":"Tor Exit Nodes Hijacked To Perform SSL stripping Attacks"},"content":{"rendered":"
\"Tor<\/span>
<\/span><\/figcaption><\/figure>\n

Since January 2020, a mysterious threat actor has been adding servers to the Tor network in order to perform SSL stripping attacks on users accessing cryptocurrency-related sites through the Tor Browser. <\/p>\n

The group has been so prodigious and persistent in their attacks, that by May 2020, they ran a quarter of all Tor exit relays <\/strong>\u2014 the servers through which user traffic leaves the Tor network and accesses the public internet. <\/p>\n

According to a report<\/a> published on Sunday by an independent security researcher and Tor server operator known as Nusenu, the group managed 380 malicious Tor exit relays at its peak, before the Tor team made the first of three interventions to cull this network. <\/p>\n

SSL stripping attacks on Bitcoin users <\/h3>\n

“The full extend[sic] of their operations is unknown, but one motivation appears to be plain and simple: profit,” Nusenu wrote over the weekend. <\/p>\n

The researcher says the group is performing ” person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays,” and that they are specifically targeting users accessing cryptocurrency-related websites using the Tor software or Tor Browser. <\/p>\n

The goal of the person-in-the-middle attack is to execute “SSL stripping” attacks by downgrading the user’s web traffic from HTTPS URLs to less secure HTTP alternatives. <\/p>\n

Based on their investigation, Nusenu said the primary goal of these SSL stripping attacks was to allow the group to replace Bitcoin addresses inside HTTP traffic going to Bitcoin mixing services. <\/p>\n

<\/section>\n

Bitcoin mixers are websites that allow users to send Bitcoin from one address to another by breaking the funds in small sums and transferring them through thousands of intermediary addresses before re-joining the funds at the destination address. By replacing the destination address at the HTTP traffic level, the attackers effectively hijacked the user’s funds without the users or the Bitcoin mixer’s knowledge. <\/p>\n

A difficult attack to pull through <\/h2>\n

“Bitcoin address rewriting attacks are not new, but the scale of their operations is,” the researcher said. <\/p>\n

Nusenu said that based on the contact email address used for the malicious servers, they tracked at least nine different malicious Tor exit relay clusters, added across the past seven months. <\/p>\n

\"tor-exit-malicious.png\"<\/span>