Anonymous hackers were controlling more than 24% Tor exit nodes

At the beginning of this week, a well-known expert Nusenu published results of his investigation about the growing problem of malicious relays on the Tor network. According to his data, since January 2020 unknown hackers were making SSL stripping attacks. Nusenu says that this group makes man-in-the-middle attacks on Tor users and control traffic in Tor network. The Tor Project was founded by computer scientists Roger Dingledine and Nick Mathewson for anonymous internet communication. Many crypto-enthusiasts rely on the Tor network, making their Bitcoin transactions secure and anonymous. However, according to the investigation, Tor might not be a good choice. Tor protects user anonymity by routing data through many relays. The last hop in this process is exit relays and the only ones that get to see the actual destination of the Tor user. Starting in January, an unknown hack-group began running a large number of Tor exit relays, peaking over 24% of the total in July 2020.

malicious Tor exit capacity over time

So how does it work?

The victim visits onion website, which accepts bitcoin payments. Malicious tor relay replaces bitcoin addresses in HTTP traffic to redirect transactions to the wallets of the hack-group instead of the user-provided bitcoin address. Bitcoin address rewriting attacks are not new, but the scale of their operations is.

The hackers use the biggest Tor hosters (OVH and Hetzner) to blend in with the rest, but they also make use of hosters rarely seen before they joined (i.e. AS20860). Their relays made the autonomous system “Iomart Cloud Services” (AS20860) so big, it is now the 6th biggest ASN by guard capacity on the Tor network.

The expert says there is no real “solution” for malicious relays due to the open design but risk reduction is still possible. Tor directory authorities can consider new relay groups without any MyFamily and ContactInfo as “do not do” violations (April 2018 discussions) and make it a bit more time consuming for adversaries to add huge amounts of Tor capacity.

How to prevent SSL stripping attack on your onion website?

It’s easy to do on a technical level using HSTS preloading. If you employ subdomains in your content structure, you will need a Wildcard Certificate to cover HTTPS ONLY. The initial stages below will test your web applications, user login and session management. It will expire HSTS every 5 minutes. Modify max-age=xxx. One week = 604800; One Month = 2592000. Append preload after your tests are completed. After you are confident that HSTS is working with your web applications, modify max-age to 63072000.