Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Tor Tells Users to Upgrade Browser Bundle After Freedom Hosting Attack

More information is trickling out about a Firefox vulnerability used to compromise some users of the Tor network as speculation about the origin of the attack continues to swirl.

More information is trickling out about a Firefox vulnerability used to compromise some users of the Tor network as speculation about the origin of the attack continues to swirl.

While rumors of a compromise of the Tor network had begun to spread during the weekend, it appears now that the attack exploited a flaw in the Firefox browser, which is included in the Tor Browser Bundle. The vulnerability at the center of the controversy is MFSA 2013-53, which was patched in Firefox 22 and Firefox 17.07 ESR.

According to the Tor Project, the following versions of the Tor Browser Bundle include a fix:

    2.3.25-10 (released June 26, 2013)

    2.4.15-alpha-1 (released June 26, 2013)

    2.4.15-beta-1 (released July 8, 2013)

    3.0alpha2 (released June 30, 2013)

“In principle, all users of all Tor Browser Bundles earlier than the above versions are vulnerable,” according to a security advisory from the Tor Project. “But in practice, it appears that only Windows users with vulnerable Firefox versions were actually exploitable by this attack.”

“It appears that TBB users on Linux and OS X, as well as users of LiveCD systems like Tails, were not exploited by this attack,” the advisory continued. “The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim’s computer. However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”

News of the compromise followed the arrest in Ireland of Eric Eoin Marques. According to the Independent.ie, authorities in the U.S. are currently trying to have Marques extradited on child pornography charges. News reports have linked him to Freedom Hosting, a hidden service provider reachable through the Tor Network that has been accused of ties to child pornography  in the past.

Around midnight on Aug. 4 – just three days after Marques’ Aug. 1 arrest, Tor was notified that a large number of hidden service addresses had disappeared from the Tor Network. Rumors quickly began to circulate that sites served by Freedom Hosting had been compromised with code designed to unmask the identity of anyone visiting them and sending the information back to an IP address in the Washington D.C.-area. The IP address has been linked to defense contractor SAIC [Science Applications International Corporation].

In an analysis of the malware, researcher Vlad Tsyrklevich wrote that the payload connects to the IP address and sends it an HTTP request that includes the hostname and the MAC address of the local host.

“Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA [law enforcement agency] and not by blackhats,” he wrote.

“The revelations will prove worrying for many legitimate Tor users, who rely on the service to protect them from snooping by government agencies,” blogged John Hawes, technical consultant and test team director at Virus Bulletin. “While it may sometimes be used for criminal purposes, Tor also often allows access to freedom of speech which might otherwise be denied to people in certain parts of the world.”

 

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.