It has been a rough week for privacy-focused web browser Tor, or The Onion Router. Its underlying software was affected by browser malware, and cybercriminals were found to be hiding ransomware on the Tor network.

On Tuesday, the Tor mailing list reported the existence of a zero-day Firefox exploit that had been seen in the wild. While the researchers have yet to determine its exact function, they reported that the exploit had gained access to VirtualAlloc in kernel32.dll.

Fighting Fire With Firefox

Dan Guido of security firm Trail of Bits took a closer look at the code provided to the list. He found that it was a standard use-after-free exploit, not a heap overflow as some had surmised. He also discovered that it affected the scalable vector graphics (SVG) parser in Firefox. Since the Tor browser is built upon Firefox, any problem with Firefox is a problem for Tor.

“This type of exploit is much harder to write in Chrome and Edge due to memory partitioning, an exploit mitigation that Firefox lacks,” Guido said on Twitter, adding that he believed the creator wrote the exploit from scratch. Another researcher, meanwhile, noted that the payload delivered by the exploit was almost the same as the one the FBI used in 2013 to track child pornographers.

In the Tor newsletter, Roger Dingledine wrote that the Mozilla security team had located the bug and was working on a patch, which was later delivered to users. According to SecurityWeek, users can also prevent many websites from exhibiting their full functionality by disabling JavaScript.

How Browser Malware Works

Making matters more dicey, Cisco Talos researchers also noted that a new variant of Cerber ransomware was using redirections via Google and a Tor2Web proxy service to evade detection and mitigation. It did so by trying to hide the command-and-control (C&C) servers involved in the scheme.

Threatpost reported that the phishing emails designed to trigger the start of the infection process contained hyperlinks, not attachments. These links are disguised as files that would be attractive to victims, such as pictures and order details.

The specific URL to which the hyperlink resolves uses Google redirection, which redirects the victim to the malicious payload hosted on the Tor network. But how do the fraudsters get the victim onto the Dark Web without a Tor browser being present? That’s where the Tor2Web proxy service comes in.

Once fully redirected and connected, a Microsoft Word document is downloaded. It has a malicious macro attached to it that downloads the Cerber ransomware. Talos advised that organizations should block all Tor2Web and Tor traffic unless there is a specific and very important need for such services.

Ars Technica reported that Mozilla and Tor worked together to create an emergency patch for the zero-day vulnerability, but some damage may have already been done. Both episodes are black eyes for Tor. The community values its privacy, and any criminal enterprise using Tor to carry out its schemes only brings unwanted attention.

More from

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…