The Tor anonymisation network is increasingly used as the point of origin of attacks on public- and private-sector organisations, according to a new report by IBM, which recommends administrators ban access to the network.
The report also noted increases in SQL injection and distributed denial-of-service attacks and of “ransomware” incidents that encrypt data belonging to an individual or an organisation, and then charge a fee to decrypt it.
However, the network is also widely used for criminal purposes, such as operating contraband websites, and it is increasingly being used by attackers to hide their identities as they scan for vulnerabilities or carry out attacks, IBM said.
“The design of routing obfuscation in the Tor network provides illicit actors with additional protection for their anonymity,” said IBM’s X-Force research team in its “Threat Intelligence” report for the third quarter of this year. “It can also obscure the physical location from which attacks originate, and it allows attackers to make the attack appear to originate from a specific geography.”
IBM said its data shows a “steady increase” over the past few years in attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic.
“Spikes in Tor traffic can be directly tied to the activities of malicious botnets that either reside within the Tor network or use the Tor network as transport for their traffic,” IBM said in the report.
IT and communications technology companies were the most affected by “malicious events” originating from Tor between January and May of this year, being affected by more than 300,000 events during the period, followed by manufacturing and financial services firms, IBM said.
The US was the top geography of origin for Tor-based attacks, followed by the Netherlands and Romania, but this spread reflects the prevalence of Tor exit nodes rather than the actual location of attackers, according to the study.
Companies have “little choice” but to block Tor-based communications, IBM said.
“The networks contain significant amounts of illegal and malicious activity,” IBM stated in the report. “Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions.”
The company offered technical pointers on blocking Tor access, including altering computer boot configurations and limiting the use of proxy services.
IBM said SQL injection attacks are on the rise, in part due to the growing use of simplified attack tools such as Havij, which was originally developed for security researchers.
The report also found a speedy development in ransomware, including the appearance of “ransomware as a service” and highly specialised attacks, such as those that target the local files of popular online games.
“We are observing the start of a prolonged battle with ransomware, as ransomware attacks diversify from simple scams to more elaborate ones that target high-value communities or businesses,” IBM stated.
A single ransomware tool, CryptoWall, has made attackers about $18m (£11m), according to FBI figures cited in the report.
Are you a security pro? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
This is utterly absurd. The approach to "security" is a joke. You can't stop these attacks by blocking the Tor network because there are other better/easier avenues of attack which aren't obvious or done through Tor. Ignorance and incompetence plague the security world. Security doesn't come from blocking Tor. Security comes from patching holes in software and its the poor tech that companies are implementing that are the real security threats.
Why would IBM to make such an assertion?
Because it's in their interests, and their attempt to spin it so as to make it sound like they have our safety at heart is utterly laughable and completely transparent.
There are certainly many areas where internet security needs to be much improved, but their attempt to demonize tor users has nothing at all to do with addressing those issues.
How stupid do they think we are?
the basis for Tor is understandable, everybody likes to know their details and what they do is kept private....unfortunately, Because of how Tor works, allot of very very bad and cruel people have been allowed to show their works on the Internet knowing they'll not be discovered...a.k.a The Deep Dark Web, very sick and twisted and this needs to be stopped at all cost, so if by shutting down websites like Tor, in order to stop the privacy of these people, then so be it.