IBM is warning corporates to start blocking TOR services from their networks, citing rising use of the encrypted network to deliver payloads like ransomware.
The advice comes in the company’s latest X-Force research team report (PDF).
IBM claims there were around 180,000 malicious traffic “events” in the USA between January 1 and May 10 this year, with 150,000 in the Netherlands, and more than 50,000 in each of Romania, France, Luxembourg and Uraguay.
While the rise of ransomware is worrying, the biggest attacks emanating from TOR exit nodes are familiar old favourites: SQL injection, vulnerability scanning, and denial-of-service.
TOR is also providing an infrastructure for command-and-control networks, the report states.
The report also speculates that wrong-doing is shifting from simple financial attacks to something that looks more like industrial espionage. It says the top two industries attacked in its study were information and communications, followed by manufacturing.
“A likely explanation is that these attacks are not after money — they’re attempts to steal intellectual property and/or spy on company operations”, the report says.
X-Force threat researcher John Kuhn also told Darkreading attackers are looking for information about manufacturers’ SCADA networks.
“Essentially, corporate networks must prevent traffic to and from stealth networks such as Tor. Though the Tor network is large, it is finite, and various frequently updated directories exist to identify Tor nodes, enabling wholesale blocking at the firewall”, the report advises.
IBM’s advice came just before news broke that even a TOR “darknet” service has started wondering whether the network is sufficiently secure.
Citing recent research in which boffins have de-anonymised TOR hidden services, licit-and-illicit goods providore Agora has posted an announcement to Reddit that it’s “suspending services”.
The announcement says there are “interested parties” who have the resources to launch a de-anonymisation attack against the service.
“We have a solution in the works which will require big changes into our software stack which we believe will mitigate such problems, but unfortunately it will take time to implement. Additionally, we have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on and we decided to move servers once again, however this is only a temporary solution”, the statement continues.
Agora reckons it’ll be back, but in the meantime it’s trying to clear current orders, and is telling people not to send Bitcoin to any deposit addresses it hosts.