December 1, 2016 By Larry Loeb 2 min read

It has been a rough week for privacy-focused web browser Tor, or The Onion Router. Its underlying software was affected by browser malware, and cybercriminals were found to be hiding ransomware on the Tor network.

On Tuesday, the Tor mailing list reported the existence of a zero-day Firefox exploit that had been seen in the wild. While the researchers have yet to determine its exact function, they reported that the exploit had gained access to VirtualAlloc in kernel32.dll.

Fighting Fire With Firefox

Dan Guido of security firm Trail of Bits took a closer look at the code provided to the list. He found that it was a standard use-after-free exploit, not a heap overflow as some had surmised. He also discovered that it affected the scalable vector graphics (SVG) parser in Firefox. Since the Tor browser is built upon Firefox, any problem with Firefox is a problem for Tor.

“This type of exploit is much harder to write in Chrome and Edge due to memory partitioning, an exploit mitigation that Firefox lacks,” Guido said on Twitter, adding that he believed the creator wrote the exploit from scratch. Another researcher, meanwhile, noted that the payload delivered by the exploit was almost the same as the one the FBI used in 2013 to track child pornographers.

In the Tor newsletter, Roger Dingledine wrote that the Mozilla security team had located the bug and was working on a patch, which was later delivered to users. According to SecurityWeek, users can also prevent many websites from exhibiting their full functionality by disabling JavaScript.

How Browser Malware Works

Making matters more dicey, Cisco Talos researchers also noted that a new variant of Cerber ransomware was using redirections via Google and a Tor2Web proxy service to evade detection and mitigation. It did so by trying to hide the command-and-control (C&C) servers involved in the scheme.

Threatpost reported that the phishing emails designed to trigger the start of the infection process contained hyperlinks, not attachments. These links are disguised as files that would be attractive to victims, such as pictures and order details.

The specific URL to which the hyperlink resolves uses Google redirection, which redirects the victim to the malicious payload hosted on the Tor network. But how do the fraudsters get the victim onto the Dark Web without a Tor browser being present? That’s where the Tor2Web proxy service comes in.

Once fully redirected and connected, a Microsoft Word document is downloaded. It has a malicious macro attached to it that downloads the Cerber ransomware. Talos advised that organizations should block all Tor2Web and Tor traffic unless there is a specific and very important need for such services.

Ars Technica reported that Mozilla and Tor worked together to create an emergency patch for the zero-day vulnerability, but some damage may have already been done. Both episodes are black eyes for Tor. The community values its privacy, and any criminal enterprise using Tor to carry out its schemes only brings unwanted attention.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today