The Cybersecurity and Infrastructure Security Agency (CISA), with contributions from the the Federal Bureau of Investigation (FBI), issued an advisory on cyberattacks from the Tor network, and recommendations for mitigation.
Tor (a.k.a. The Onion Router) is a software that allows users to browse the web anonymously by encrypting and routing requests through multiple relay layers or nodes. Threat actors are leveraging Tor to conceal their identity and point of origin when engaging in “malicious cyber activity impacting the confidentiality, integrity, and availability of an organization’s information systems and data.” Examples of this activity include performing reconnaissance, penetrating systems, exfiltrating and manipulating data, and taking services offline through denial-of-service attacks and delivery of ransomware payloads.
Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk of cyberattacks from the Tor network:
- Most restrictive approach: Block all web traffic to and from public Tor entry and exit nodes.
- Less restrictive approach: Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes.
- Blended approach: Block all Tor traffic to some resources, allow and monitor for others.
Read more about it here.