Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Tor Exit Nodes Provide Man-in-the-Middle Attack Vector for Threat Actors

In a two-part series, TheRecord has confirmed Tor exit nodes are being used SSL Stripping attacks, SSL Downgrade attacks, and other man-in-the-middle (MITM) activity. These types of attacks occur when a web browser visiting a website is supposed to be redirected to the secure TLS (HTTPS) version of the site, but instead it uses unencrypted HTTP or an older version of SSL that is vulnerable to attack. Tor exit nodes are always in a position to relay network traffic for Tor users to Internet servers, so if the traffic is not encrypted to the website, the exit node can spy on the traffic.  Some 27% of Tor exit relays have been shown to have acted in this capacity at one time, before maintainers at the Tor Project noticed and took action, taking that number down to 3% or 4% temporarily. The analyst Nusenu described the infrastructure on the ISP OVH and a newly observed network “Nice IT Services Group.” Nusenu sums up the exploitation and danger stating “They perform person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays. They (selectively) remove HTTP-to-HTTPS redirects to gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings.”

Analyst Notes

The Tor Project took notice of Nusenu’s first post in late 2019. They have be proactively removing these malicious exit nodes when detected. However, Covid-19 caused some layoffs at the Tor project forcing re-organization away from an effort specifically dedicated to mitigation of this threat. Nusenu calls on the Tor Project’s directory authority to enact countermeasures to mitigate this threat.

Tor has been a place for privacy-minded users to rely on for sensitive operations. Many journalists communicate and accept sourced information through Onion sites along with other communication and work with privacy as a consideration. These SSL-Stripping attacks downgrade https communication to plain text http traffic and allow the Exit node operators to spy on the traffic. What a user can do is be vigilant which exit nodes and network they are utilizing. OrNetRadar provides some insight into new relays and the SecOps-Institute provides an hourly update on exit node IPs. For the time being, enabling Tor Browser’s HTTPS-Only mode provides the strongest protection against this issue but will exclude users from the many Onion sites that do not utilize SSL.