Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Tor Tells Users to Upgrade Browser Bundle After Freedom Hosting Attack

More information is trickling out about a Firefox vulnerability used to compromise some users of the Tor network as speculation about the origin of the attack continues to swirl.

More information is trickling out about a Firefox vulnerability used to compromise some users of the Tor network as speculation about the origin of the attack continues to swirl.

While rumors of a compromise of the Tor network had begun to spread during the weekend, it appears now that the attack exploited a flaw in the Firefox browser, which is included in the Tor Browser Bundle. The vulnerability at the center of the controversy is MFSA 2013-53, which was patched in Firefox 22 and Firefox 17.07 ESR.

According to the Tor Project, the following versions of the Tor Browser Bundle include a fix:

    2.3.25-10 (released June 26, 2013)

    2.4.15-alpha-1 (released June 26, 2013)

    2.4.15-beta-1 (released July 8, 2013)

    3.0alpha2 (released June 30, 2013)

“In principle, all users of all Tor Browser Bundles earlier than the above versions are vulnerable,” according to a security advisory from the Tor Project. “But in practice, it appears that only Windows users with vulnerable Firefox versions were actually exploitable by this attack.”

Advertisement. Scroll to continue reading.

“It appears that TBB users on Linux and OS X, as well as users of LiveCD systems like Tails, were not exploited by this attack,” the advisory continued. “The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim’s computer. However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”

News of the compromise followed the arrest in Ireland of Eric Eoin Marques. According to the Independent.ie, authorities in the U.S. are currently trying to have Marques extradited on child pornography charges. News reports have linked him to Freedom Hosting, a hidden service provider reachable through the Tor Network that has been accused of ties to child pornography  in the past.

Around midnight on Aug. 4 – just three days after Marques’ Aug. 1 arrest, Tor was notified that a large number of hidden service addresses had disappeared from the Tor Network. Rumors quickly began to circulate that sites served by Freedom Hosting had been compromised with code designed to unmask the identity of anyone visiting them and sending the information back to an IP address in the Washington D.C.-area. The IP address has been linked to defense contractor SAIC [Science Applications International Corporation].

In an analysis of the malware, researcher Vlad Tsyrklevich wrote that the payload connects to the IP address and sends it an HTTP request that includes the hostname and the MAC address of the local host.

“Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA [law enforcement agency] and not by blackhats,” he wrote.

“The revelations will prove worrying for many legitimate Tor users, who rely on the service to protect them from snooping by government agencies,” blogged John Hawes, technical consultant and test team director at Virus Bulletin. “While it may sometimes be used for criminal purposes, Tor also often allows access to freedom of speech which might otherwise be denied to people in certain parts of the world.”

 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.