Netwalker… Made a brief walk on Argentina border ⛔

Argentina’s immigration agency, Dirección Nacional de Migraciones (DNM), was the victim of a ransomware attack that temporarily halted border crossings, with hackers demanding $4 million in Bitcoin.

The attack was first reported by the Argentinean government on August 27 to the country’s cybercrime agency, after multiple calls from border checkpoints suggested their computer networks were compromised.

Border authorities found that their computer systems, including apps and shared folders, were hit by an unidentified virus in the small hours. They took swift action and shut down central servers to prevent the virus from propagating to other systems over the network

All Argentinean immigration offices and control posts were put out of service for four hours until they were brought online again.

“The Comprehensive Migration Capture System (SICaM) that operates in international crossings was particularly affected, which caused delays in entry and exit to the national territory,” the DNM stated.

Ransomware attackers demand $4m in Bitcoin

The attackers were later identified by authorities as NetWalker, a ransomware operation that targets corporate computer networks. Its usual pattern of attack is to encrypt or password protect the files.. inturn demand a ransom

The NetWalker hackers who attacked Argentina’s immigration agency flashed a payment message leading to a Tor network page, demanding $2 million in Bitcoin as ransom. This figure was then changed to $4 million after seven days, approximately 355 Bitcoin at the time.

Ransomwares are becoming a nightmare to all organization either a government or private…

Tor Finally fixed a bug that annoyed of DDoS

Launching DDoS attacks against dark web sites could soon be a little more difficult to pull off now Tor Project is preparing to fix a bug that has been abused by attackers for years.

A bug that annoyed for so many years . The bug itself is a denial of service (DoS) issue that an attacker can exploit to initiate thousands of connections to a targeted dark web site. 

The remote Onion service needs to negotiate a complex circuit through the Tor network to secure the connection between a user and the site’s server. As this process is very CPU resource intensive, initiating thousands of these connections can quickly overload a site’s server to the point where it can’t accept any new connections.

This is known and Tor Developers not released any patches or fix to overcome this obstacle

“The attacks exploit the inherent asymmetric nature of the onion service rendezvous protocol, and that makes it a hard problem to defend against. During the rendezvous protocol, an evil client can send a small message to the service while the service has to do lots of expensive work to react to it. This asymmetry opens the protocol to DoS attacks, and the anonymous nature of our network makes it extremely challenging to filter the good clients from the bad.”

To make matters worse, a tool named Stinger-Tor was uploaded to GitHub more than four years ago which allows anyone to carry out a DoS attack on a Dark Web site just by running a Python script. There are other tools like this one out there that exploit the bug in Tor and cyber crime groups have been selling them on underground forums.

Members of the Dread community have been encouraging users to donate to the Tor Project. These donations seem to have done the trick as developing a fix for this vulnerability is now being prioritized. The proposed fix won’t completely deal with the issue but it will make DoS attacks less effective against Dark Web sites.

The fix is scheduled to arrive with the upcoming Tor protocol 0.4.2 release and it should make things a bit easier for sites running on the Tor network.

Mysterious Tor 😳!

A Mystery Surrounding the Tor Network
An unidentified mysterious threat actor has been attempting to add new servers to the Tor network, with the intention of carrying out SSL Stripping attacks on users of Tor browsers and Tor relays.

Overview

Since the beginning of the year, the group has been trying to take control over the Tor network via Tor exit relays.

When a Tor browser user accesses any cryptocurrency-related website, if the traffic happens to pass through the attacker-controlled Tor exit relays, the attacker could manipulate the traffic in their favor.

When a user makes any cryptocurrency transaction, the traffic is directed towards Bitcoin mixing services via Tor exit nodes.
By having control of these exit nodes, the attacker could replace the destination Bitcoin address of any cryptocurrency transaction, without the user’s knowledge, thus carrying out a man-in-the-middle attack.

Mode of operation

While carrying out the man-in-the-middle attack, attackers leveraged the SSL stripping method, in which they downgraded the targeted web traffic from HTTPS URLs to lesser secure HTTP requests.
Within these HTTP requests, attackers would replace the Bitcoin addresses entered by the users that are going to Bitcoin mixing services, thus effectively hijacking the transaction without the user’s knowledge.

The scale of the attack campaign
As of May 22, 2020, the threat actor had control of over 23.95% of all Tor exit relays (380 servers), thus giving them the chance to control approximately one in every four transactions.

When identified, the Tor team made interventions to cut-off the malicious servers. However, it is believed that as of Aug 8, these attackers are still running more than 10% of Tor network exit capacity.

Concluding thought

To date, there is a lack of strict security checks on what entities can join the Tor network, due to which such attacks may be expected to continue in the future as well. Besides man-in-the-middle attacks, users need to be cautious about the risks related to recently disclosed vulnerabilities in Tor networks. Users should keep the Tor browser and all the associated modules updated with the latest patches and use capable anti-malware solutions and firewalls to stay protected.