WIDESPREAD TOR SCANNING
Executive Summary: On 30th October 2019 between 20:18 and 23:22 BST, ITC’s SIEM service picked up a heavy, unexpected surge in connection attempts to our customers from Tor node IPs. To understand volumes, ITC typically observe only a few of these events a day, however in this instance there were several thousand detections identified within an hour.
Tor is an anonymous communication software which allows users to connect through a series of “nodes” to reach their intended destination. As the communications pass from node to node before reaching the target, it can make it impossible to establish where the original source of a connection was from.
Although there are a small number of legitimate uses for Tor, due to the anonymity it provides, it is most commonly used to support criminal activity, for example to hide the origin of attacks or used by rogue employees to hide their activity from corporate monitoring systems. It can also be used for black market trading and piracy.
The final ‘node’ a connection reaches before connecting to the target is referred to as an ‘exit node’.
The flood of connections ITC have observed, originate from these exit nodes. Due to the nature of these nodes, they can change regularly and can be difficult to track. However, ITC proactively developed proprietary content introduced into our SIEM service to dynamically collect feeds of these exit nodes, allowing our Use Cases to trigger in real time if connections are seen ‘to or from’ these IPs. This provides our customers the assurance that their estate is being monitored through the ITC SIEM service to identify such attacks utilising Tor.
The attacks appear to have occurred exclusively over HTTP and ITC were able to determine that a threat actor was making use of Tor to scan externally facing web servers. This has remained largely unreported in the Cyber Security Community.
Some evidence has been gathered through ITC’s expert Cyber Consultancy team indicating that there has been a sudden increase in DDoS attacks employing Tor in the past 24 hours and further evidence that Tor itself may be the intended target and not the final destinations of the connections. Due to the anonymity intrinsic to Tor, it is not possible to know where an attack originated from. State actors in foreign countries may be involved, using Tor to mask their location. The exit nodes observed in last night’s attacks range across the globe, including China and Russia.
For ITC customers that have Managed Intrusion Prevention Systems (IPS), we can confirm that we did not detect any malicious signatures in the payloads from the attackers. Additionally, packets observed in the connections were small, ranging in size between 64-124 bytes, which is indicative of reconnaissance scanning behaviour.
There is a possibility the intended target of this activity is the Tor network itself. Information gathered shows that the Emerald Onion and the Calyx Institute, who host Tor node infrastructure, received large amounts of traffic through their network at around 3:00 PM on 30th October. The intention may have been to connect to a wide number of endpoints across the internet through the Tor nodes, generating too much traffic for them to handle, and reducing the service on the nodes rather than impacting the final endpoints.
Our Investigations into whether this was targeted against a particular region, against Tor itself, or if this was untargeted against a range of web-facing addresses have been inconclusive.
Detect: ITC’s proprietary SIEM Use Cases and Tor node feed were able to immediately detect and alert to the connections which suddenly began connecting to customer addresses. As the threat developed, the ITC SOC released new content to address the nature of attack.
ITC also utilised our new Service Management tool (ServiceNow) to correlate this traffic trend across different customers to confirm that this was an active attack against a number of externally facing infrastructures.
Response: In total, ITC generated 1,720 tickets, from several thousand correlated events. Although 1,720 were generated, the logic and intelligence that ITC have built into our new Service Management toolset (ServiceNow), meant that our SIEM customer were not notified 1720 times. The intent is to only communicate to our customers when a threat is active within their estate and provide telephone communications to bring attention to high level issues.
In some instances, ITC saw customer assets responding to the Tor nodes via the SIEM service, in these cases for Managed Firewall customers, ITC proactively blocked inbound and outbound connections on the perimeter firewalls, with others receiving phones calls from our SOC informing them of the activity and that they should also block the IPs.
Where no action was required, ITC’s 24/7 SOC team continued monitoring the threat, prepared for a resurgence in Tor traffic along with releasing new Use Cases to detect unusual Tor attacks.
Prevent: Although there is no preventative action which can be taken beyond blocking IP addresses, ITC recommend ensuring that all IPS signatures are up-to-date and all systems are patched; particularly if they are internet-facing.
Should you require any further information, technical support or cyber consultancy to understand your security posture, please do not hesitate to contact the ITC team.