Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

CISA Warns Enterprises of Risks Associated With Tor

In an alert this week, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned enterprises about the use of Tor in cyberattacks.

In an alert this week, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned enterprises about the use of Tor in cyberattacks.

Maintained by non-profit organization Tor Project, the Tor software and the underlying infrastructure are meant to provide users with anonymity and the means to bypass censorship by encrypting requests and routing them via multiple nodes.

However, cybercriminals and other threat actors abuse Tor for anonymity and obfuscation, to conceal their identity when conducting cyber-operations. With Tor, the online activity of a user appears to originate from the IP address of a Tor exit node instead of their own IP address.

Types of malicious activity conducted using Tor includes reconnaissance, system compromise, data exfiltration, denial of service (DoS) attacks, and ransomware delivery. Furthermore, Tor is often leveraged for command and control (C&C) server communication.

The use of Tor ensures that the identity of adversaries remains hidden, and also hinders recovery and response to cyberattacks. Thus, organizations are advised to apply necessary measures to block and monitor all traffic to and from the Tor network, to identify targeting and exploitation.

“The risk of being the target of malicious activity routed through Tor is unique to each organization. An organization should determine its individual risk by assessing the likelihood that a threat actor will target its systems or data and the probability of the threat actor’s success given current mitigations and controls,” CISA says.

According to the agencies, an organization should assess whether legitimate users need Tor for their activities, and should also take into consideration the threat posed by attackers, ranging from low-skilled hackers to advanced persistent threats (APTs).

In order to detect malicious activity that leverages Tor, defenders can use indicator- or behavior-based analysis of network, endpoint, and security appliance logs. Security information and event management (SIEM) and other log analysis tools can help identify activities involving Tor exit nodes, all of which are included in a list maintained by the Tor Project’s Exit List Service.

CISA also lists mitigation steps enterprises should take to reduce the risks associated with adversaries using Tor, ranging from monitoring and analysis to completely blocking traffic to and from public Tor nodes. However, it also warns that the use of additional anonymization technologies by sophisticated attackers, such as virtual private networks (VPNs), might circumvent detection and blocking systems.

Related: CISA Reminds Federal Agencies to Use Its DNS Service

Related: DHS Reiterates Recommendations on Securing Office 365

Related: Patching Pulse Secure VPN Not Enough to Keep Attackers Out, CISA Warns

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.