December 1, 2016 By Larry Loeb 2 min read

It has been a rough week for privacy-focused web browser Tor, or The Onion Router. Its underlying software was affected by browser malware, and cybercriminals were found to be hiding ransomware on the Tor network.

On Tuesday, the Tor mailing list reported the existence of a zero-day Firefox exploit that had been seen in the wild. While the researchers have yet to determine its exact function, they reported that the exploit had gained access to VirtualAlloc in kernel32.dll.

Fighting Fire With Firefox

Dan Guido of security firm Trail of Bits took a closer look at the code provided to the list. He found that it was a standard use-after-free exploit, not a heap overflow as some had surmised. He also discovered that it affected the scalable vector graphics (SVG) parser in Firefox. Since the Tor browser is built upon Firefox, any problem with Firefox is a problem for Tor.

“This type of exploit is much harder to write in Chrome and Edge due to memory partitioning, an exploit mitigation that Firefox lacks,” Guido said on Twitter, adding that he believed the creator wrote the exploit from scratch. Another researcher, meanwhile, noted that the payload delivered by the exploit was almost the same as the one the FBI used in 2013 to track child pornographers.

In the Tor newsletter, Roger Dingledine wrote that the Mozilla security team had located the bug and was working on a patch, which was later delivered to users. According to SecurityWeek, users can also prevent many websites from exhibiting their full functionality by disabling JavaScript.

How Browser Malware Works

Making matters more dicey, Cisco Talos researchers also noted that a new variant of Cerber ransomware was using redirections via Google and a Tor2Web proxy service to evade detection and mitigation. It did so by trying to hide the command-and-control (C&C) servers involved in the scheme.

Threatpost reported that the phishing emails designed to trigger the start of the infection process contained hyperlinks, not attachments. These links are disguised as files that would be attractive to victims, such as pictures and order details.

The specific URL to which the hyperlink resolves uses Google redirection, which redirects the victim to the malicious payload hosted on the Tor network. But how do the fraudsters get the victim onto the Dark Web without a Tor browser being present? That’s where the Tor2Web proxy service comes in.

Once fully redirected and connected, a Microsoft Word document is downloaded. It has a malicious macro attached to it that downloads the Cerber ransomware. Talos advised that organizations should block all Tor2Web and Tor traffic unless there is a specific and very important need for such services.

Ars Technica reported that Mozilla and Tor worked together to create an emergency patch for the zero-day vulnerability, but some damage may have already been done. Both episodes are black eyes for Tor. The community values its privacy, and any criminal enterprise using Tor to carry out its schemes only brings unwanted attention.

More from

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today