Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Many Tor Relays Found Snooping on Dark Web Services

Researchers at Northeastern University have analyzed the Tor anonymity network and discovered that there are at least 110 nodes that spy on dark web services.

Researchers at Northeastern University have analyzed the Tor anonymity network and discovered that there are at least 110 nodes that spy on dark web services.

Experts have developed what they call honey onions, or HOnions, honeypots designed to identify misbehaving relays that have a hidden services directory (HSDir) flag. The privacy of Tor hidden services depends on the honest operation of these nodes, which provide the information needed by users to access .onion websites.

An analysis conducted between February 21 and April 24 using roughly 1,500 HOnions revealed that there are at least 110 snoopy nodes. These misbehaving relays were mostly located in the United States, Germany, France, UK and the Netherlands. According to the Tor Project, there are a total of more than 3,000 relays with the HSDir flag.

While in most cases these relays automatically queried the root path of the server, in some cases the honeypots detected what appeared to be manual probing. Researchers identified Apache- and search engine-related queries, and also attempts to find or exploit SQL injection, cross-site scripting (XSS), Drupal user enumeration, path traversal, Ruby on Rails and PHP vulnerabilities.

Some of the offending nodes were more sophisticated than others. Experts noticed that some of them visited the HOnions within 24 hours after hosting them, while others waited longer – most likely in an effort to evade detection or avoid raising suspicion.

Researchers also determined that more than 70 percent of the malicious relays are hosted in the cloud, including on infrastructure provided by companies that accept payment in Bitcoin, which makes it more difficult to detect the nodes and identify their operators.

Some of the snoopy hidden service directories are also exit nodes – these types of nodes have been known to be abused for malicious activities, including by APT actors. SecurityWeek has reached out to the Tor Project for comment on this research.

Recent events have shown that Tor is not 100 percent trustworthy. A team of university researchers funded by the U.S. government managed to help law enforcement deanonymize Tor users suspected of conducting criminal activities by adding more than 100 rogue relays to the anonymity network.

Advertisement. Scroll to continue reading.

Several improvements have been made over the past period to anonymity protections, but an increasing number of people are losing their faith in Tor’s capabilities due to the recent incidents. MIT researchers announced earlier this month that they have created a new anonymity system, dubbed “Riffle,” that is claimed to provide not only stronger security, but also more efficient bandwidth usage.

Related: Tor Browser Gets Multiple Security Enhancements

Related: Tor, CloudFlare Spar Over Malicious Traffic

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.