Tor is increasingly being used to scan organisations for vulnerabilities and to launch attacks
The Tor anonymisation network is increasingly used as the point of origin of attacks on public- and private-sector organisations, according to a new report by IBM, which recommends administrators ban access to the network.
The report also noted increases in SQL injection and distributed denial-of-service attacks and of “ransomware” incidents that encrypt data belonging to an individual or an organisation, and then charge a fee to decrypt it.
Tor, which provides anonymity by obscuring the real point of origin of Internet communications, was in part created by the US government, which helps fund its ongoing development, due to the fact that some of its operations rely on the network.
However, the network is also widely used for criminal purposes, such as operating contraband websites, and it is increasingly being used by attackers to hide their identities as they scan for vulnerabilities or carry out attacks, IBM said.
“The design of routing obfuscation in the Tor network provides illicit actors with additional protection for their anonymity,” said IBM’s X-Force research team in its “Threat Intelligence” report for the third quarter of this year. “It can also obscure the physical location from which attacks originate, and it allows attackers to make the attack appear to originate from a specific geography.”
IBM said its data shows a “steady increase” over the past few years in attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic.
“Spikes in Tor traffic can be directly tied to the activities of malicious botnets that either reside within the Tor network or use the Tor network as transport for their traffic,” IBM said in the report.
IT and communications technology companies were the most affected by “malicious events” originating from Tor between January and May of this year, being affected by more than 300,000 events during the period, followed by manufacturing and financial services firms, IBM said.
The US was the top geography of origin for Tor-based attacks, followed by the Netherlands and Romania, but this spread reflects the prevalence of Tor exit nodes rather than the actual location of attackers, according to the study.
Companies have “little choice” but to block Tor-based communications, IBM said.
“The networks contain significant amounts of illegal and malicious activity,” IBM stated in the report. “Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions.”
The company offered technical pointers on blocking Tor access, including altering computer boot configurations and limiting the use of proxy services.
IBM said SQL injection attacks are on the rise, in part due to the growing use of simplified attack tools such as Havij, which was originally developed for security researchers.
The report also found a speedy development in ransomware, including the appearance of “ransomware as a service” and highly specialised attacks, such as those that target the local files of popular online games.
“We are observing the start of a prolonged battle with ransomware, as ransomware attacks diversify from simple scams to more elaborate ones that target high-value communities or businesses,” IBM stated.
A single ransomware tool, CryptoWall, has made attackers about $18m (£11m), according to FBI figures cited in the report.
Are you a security pro? Try our quiz!