Malicious exit nodes have been blacklisted

Apr 23, 2015 21:45 GMT  ·  By

SIGAINT, an email service that resides mostly in anonymization network Tor, has become the victim of an unknown attacker who tried to compromise it by using a total of 70 bad exit nodes.

Tor network anonymizes the connection from the user to their intended destination by routing it through multiple relays that are unaware of the source. The last of the machines that processes the connection is called an exit relay/node, and its IP is what the entity contacted sees instead of the address of the real user.

Since exit nodes are the last ones TOR traffic goes through, and their IP appears as the origin of the connection, they may attract the attention of law enforcement agencies.

SIGAINT offers public email services that ensure the privacy associated with Tor, and it is intended to help journalists and activists stay safe from surveillance activities.

Stealing user passwords was not the object of the attack

On Thursday, one of the admins of the service announced that SIGAINT became the target of an attack, initially believed to have been carried out via 58 Tor exit nodes. However, Philipp Winter, who is involved in the Tor project, uncovered 12 more, bringing the total of bad relays to 70.

All of them have been blacklisted and at the moment they should no longer represent a risk, as traffic to them is blocked. Although the SIGAINT admin believes that some user passwords may have been compromised, he does not think that the infrastructure of the service has been affected.

“We are confident that they didn't get in. It looks like they resorted to rewriting the .onion URL located on sigaint.org to one of theirs so they could MITM [man-in-the-middle] logins and spy in real-time,” the administrator said on Tor mailing list.

The admin also said that it was unlikely that the attacker sought to collect user passwords because the number of complaints about hijacked accounts is insignificant (less than one for 42,000 users every three months).

Bad exit nodes represented 6% of the total, may have run Raspberry Pi

He also added that he thought that “some agency” was behind the attack; if this were the case, a security measure such as adding SSL support to the regular website would not help too much, although it would make it trickier to run an attack.

Roger Dingledine, Tor Project leader, and Seth David Schoen from EFF (Electronic Frontier Foundation) argued in favor of using SSL.

As for the bad relays, they represented about 6% of the total number of exit nodes and had a 2.7% probability to be employed for passing traffic to the destination, Philipp Winter said.

After checking the Tor logs, he noted that almost all of them had been added less than a month earlier and joined the network in small batches, not to raise suspicions.

Tor community joined the effort of finding more about the bad relays, and it was uncovered that 21 of them pointed to “vultr.com,” a cloud services provider, but at least nine hosting services were used.

Moreover, it appears that the attacker relied on a stable version of Debian to power the machines, one user drawing attention to the fact that the version string observed is present for many Raspberry Pi devices.