The author of the OrNetRadar project, which monitors the connection of new groups of nodes to Tor's anonymous network, published a report on identifying a great exit node operator Malicious Tor, which is trying to manipulate user traffic.
According to these statistics, on the 22 of maI fixed the connection to the Tor network from the large group of malicious hosts, in which an attacker to gain control of the traffic, covered 23,95% of all calls through the exit nodes.
In December 2019 I wrote about the growing problem of malicious relays on the Tor network with the motivation to raise awareness and improve the situation over time. Unfortunately, instead of getting better, things have gotten worse, specifically when it comes to malicious Tor outbound relay activity.
At its peak, the malicious group consisted of about 380 nodes. By linking nodes based on contact emails listed on servers with malicious activity, researchers They were able to identify at least 9 different groups of malicious exit nodes that have been active for about 7 months.
Tor developers tried to block malicious hosts, but the attackers quickly recovered their activity. Currently, the number of malicious sites has decreased, but more than 10% of the traffic still passes through them.
There are established countermeasures, such as preloading of HSTS and HTTPS everywhere, but in practice, many website operators they don't implement them and they leave their users vulnerable to this type of attack.
This type of attack is not specific to the Tor browser. Malicious relays are only used to gain access to user traffic and to make detection difficult, the malicious entity did not attack all websites equally.
They seem to primarily search for cryptocurrency related websitesi.e. multiple bitcoin mixing services.
They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the bitcoin address provided by the user. Bitcoin address rewrite attacks are not new, but the scale of their operations is. It is not possible to determine if they participate in other types of attacks.
Targeted removal of redirects to HTTPS variants of sites of activity logged on malicious exit nodes is seen on initial access to an unencrypted resource over HTTP, allowing attackers to intercept session content without falsifying certificates TLS ("SSL kill" attack).
A similar approach works for users who type the site address without explicitly indicating "https: //" in front of the domain and after opening the page do not focus on the protocol name in the Tor browser's address bar. To protect against blocking redirects to HTTPS sites, it is recommended to use HSTS preload.
I reached out to some of the known affected bitcoin sites, so they can mitigate this on a technical level using HSTS preload. Someone else posted the HTTPS-Everywhere rules for the known affected domains (HTTPS Everywhere is installed by default in the Tor browser). Unfortunately, none of these sites had HSTS preload enabled at the time. At least one affected bitcoin website implemented HSTS preload after learning of these events.
After the December 2019 blog post, Project Tor had some promising plans for 2020 with a person dedicated to driving improvements in this area, but due to recent layoffs related to COVID19, that person was assigned to another area.
On top of that, the Tor directory authorities are apparently no longer removing the relays that they used to remove for a few weeks.
It's unclear what triggered this policy change, but apparently someone likes it and is adding undeclared relay groups.
Finally, if you want to know more about it, you can check the details in the following link