Security News

An unknown threat actor managed to control more than 27% of the entire Tor network exit capacity in early February 2021, a new study on the dark web infrastructure revealed. "The entity attacking Tor users is actively exploiting tor users since over a year and expanded the scale of their attacks to a new record level," an independent security researcher who goes by the name nusenu said in a write-up published on Sunday.

Ransomware criminals have posted trophy pictures on their Tor blog after attacking the police force for US capital Washington DC. The Metropolitan Police Department said it was "Aware of unauthorised access on our server" and had engaged the FBI to investigate, according to BleepingComputer. Babuk, a relatively new ransomware gang, claimed credit for the attack and claimed to have stolen 250GB of files from the force.

A recently observed malware botnet targeting Linux systems is employing many of the emerging techniques among cyber-criminals, such as the use of Tor proxies, legitimate DevOps tools, and the removal of competing malware, according to new research from anti-malware vendor Trend Micro. The researchers say the malware is capable of downloading all of the files it needs from the Tor anonymity network, including post-infection scripts and legitimate, essential binaries that might be missing from the environment, such as ss, ps, and curl.

Researchers have discovered what they say is the first variant of the Gafgyt botnet family to cloak its activity using the Tor network. In order to evade detection, Gafgyt tor uses Tor to hide its command-and-control communications, and encrypts sensitive strings in the samples.

Files appearing to originate from Qualys were dumped online this afternoon on the Tor blog of the Clop criminal extortionists. Ransomware gang specialist Brett Callow, of infosec biz Emsisoft, told The Register: "Entities that have had dealings with Qualys should be on high alert."

Brave has patched up its privacy-focused web browser after it was spotted leaking its Tor users' dark-web habits. Onion domains visited by the browser to whatever DNS servers the software was configured to use for non-Tor websites, allowing whoever operates those DNS servers - or anyone who can snoop on the queries in transit - to figure out the kinds of hidden services frequented by an individual user.

Brave Browser is fixing a privacy issue that leaks the Tor onion URL addresses you visit to your locally configured DNS server, exposing the dark web websites you visit. To access Tor onion URLs, Brave added a 'Private Window with Tor' mode that acts as a proxy to the Tor network.

UPDATE. Hot on the heels of the Emotet takedown announced Wednesday, the NetWalker ransomware has also been partially disrupted by an international police action. The Department of Justice said Wednesday that it has brought charges "Against a Canadian national in relation to NetWalker ransomware attacks," while also seizing around $454,500 in cryptocurrency from ransom payments made by three separate victims.

Researchers at Sophos noticed recently that the operators of multiple ransomware families have been using a backdoor named SystemBC, which provides attackers a connection to compromised devices and which uses the Tor anonymity network to hide command and control communications. Designed with support for the execution of commands and to allow adversaries to download and execute scripts, executables, and DLLs, the backdoor is continuously evolving, with recent samples having switched from creating a SOCKS5 proxy to using the Tor network for communication purposes.

Cybercriminals are increasingly outsourcing the task of deploying ransomware to affiliates using commodity malware and attack tools, according to new research. The SystemBC RAT has since expanded the breadth of its toolset with new characteristics that allow it to use a Tor connection to encrypt and conceal the destination of C2 communications, thus providing attackers with a persistent backdoor to launch other attacks.