Battle City, colloquially known as “that tank game”, is a symbol of a bygone era. Some 30 years ago, gamers would pop a cartridge into their console, settle in front of a bulky TV, and obliterate waves of enemy tanks until the screen gave out.

Today, the world’s a different place, but tank games remain popular. Modern iterations offer gamers not just the thrill of gameplay but also the chance to earn NFTs. Cybercriminals too have something to offer: a sophisticated attack targeting crypto-gaming enthusiasts.

Backdoor and zero-day exploit in Google Chrome

This story begins in February 2024, when our security solution detected the Manuscrypt backdoor on a user’s computer in Russia. We’re very familiar with this backdoor; various versions of it have been used by the Lazarus APT group since at least 2013. So, given we already know the main tool and methods used by the attackers — what’s so special about this particular incident?

The thing is that these hackers typically target large organizations like banks, IT companies, universities, and even government agencies. But this time, Lazarus hit an individual user, planting a backdoor on a personal computer! The cybercriminals lured the victim to a game site and thereby gained complete access to their system. Three things made this possible:

• The victim’s irresistible desire to play their favorite tank game in a new format
• A zero-day vulnerability in Google Chrome
• An exploit that allowed remote code execution in the Google Chrome process

Before you start to worry, relax: Google has since released a browser update, blocked the tank game’s website, and thanked the Kaspersky security researchers. But just in case, our products detect both the Manuscrypt backdoor and the exploit. We’ve delved into the details of this story on the Securelist blog.

Fake accounts

At the start of the investigation, we thought the group had gone to extraordinary lengths this time: “Did they actually create an entire game just for a scam?” But we soon worked out what they’d really done. The cybercriminals based their game — DeTankZone — on the existing game DeFiTankLand. They really went all out, stealing the source code of DeFiTankLand and creating fake social media accounts for their counterfeit.

Around the same time, in March 2024, the price of the DefitankLand (sic) cryptocurrency plummeted — the developers of the original game announced that their cold wallet had been hacked, and “someone” had stolen $20,000. The identity of this “someone” remains a mystery. The developers believe it was an insider, but we suspect that the ever-present tentacles of Lazarus are involved.

The cybercriminals orchestrated a full-blown promotion campaign for their game: they boosted follower counts on X (formerly Twitter), sent collaboration offers to hundreds of cryptocurrency influencers (also potential victims), created premium LinkedIn accounts, and organized waves of phishing emails. As a result, the fake game got even more traction than the original (6000 followers on X, versus 5000 for the original game’s account).

How we played tanks

Now for the most fun part…

The malicious site that Lazarus lured their victims to offered a chance, not only to “try out” a zero-day browser exploit, but also to play a beta version of the game. Now, here at Kaspersky, we respect the classics, so we couldn’t resist having a go on this promising new version. We downloaded an archive that seemed completely legitimate: 400MB in size, correct file structure, logos, UI elements, and 3D model textures. Boot her up!

The DeTankZone start menu greeted us with a prompt to enter an email address and password. We first tried logging in using common passwords like “12345” and “password” but that doesn’t work. “Fine, then”, we think. “We’ll just register a new account”. Again, no luck — the system wouldn’t let us play.

So why were there 3D model textures and other files in the game archive? Could they really have been other components of the malware? Actually, it wasn’t that bad. We reverse-engineered the code and discovered elements responsible for the connection to the game server — which, for this fake version, was non-functional. So, in theory, the game was still playable. A bit of time spent, a little programming, and voilà — we replace the hackers’ server with our own, and the red tank “Boris” enters the arena.

Lessons from this attack

The key takeaway here is that even seemingly harmless web links can end up with your entire computer being hijacked. Cybercriminals are constantly refining their tactics and methods. Lazarus is already using generative AI with some success, meaning we can expect even more sophisticated attacks involving it in the future.

Security solutions are also evolving with effective integration of AI — learn more here and here. All ordinary internet users have to do is make sure their devices are protected, and stay informed about the latest scams. Fortunately, the Kaspersky Daily blog makes this easy — subscribe to stay updated…

Kaspersky official blog – ​Read More

Overview

A recently discovered high-severity vulnerability, tracked as CVE-2024-10443 and dubbed “RISK:STATION,” poses a significant threat to Synology NAS users worldwide.

The vulnerability, affecting Synology DiskStation and BeeStation models, allows remote code execution without user interaction, heightening the potential for malicious exploitation.

CERT-In has released an advisory urging Synology users to apply critical security patches immediately to secure their devices and prevent unauthorized access.

Affected Systems and Risk Assessment

The flaw specifically impacts Synology Photos and BeePhotos components, which come pre-installed on many Synology NAS products. Vulnerable versions include:

• BeePhotos for BeeStation OS 1.1 – versions below 1.1.0-10053
• BeePhotos for BeeStation OS 1.0 – versions below 1.0.2-10026
• Synology Photos 1.7 for DSM 7.2 – versions below 1.7.0-0795
• Synology Photos 1.6 for DSM 7.2 – versions below 1.6.2-0720

Given that NAS devices are highly valuable targets in ransomware attacks, the risks associated with this vulnerability are extensive, including data theft, malware installation, and unauthorized system access.

System owners using affected versions are encouraged to upgrade to secure versions immediately.

Impact and Exploitation Risks

The “RISK:STATION” vulnerability represents an “unauthenticated zero-click” attack vector. Attackers exploiting this flaw can gain root-level control without any user interaction.

Synology’s QuickConnect feature, a remote-access service, further increases device exposure, as it allows attackers to reach NAS devices even behind firewalls. According to the researchers who were credited with finding this zero-click bug, this flaw carries a high potential for misuse and could impact an estimated one to two million devices globally.

Device Exposure and Enumeration Concerns

The vulnerability’s severity is amplified by Synology’s QuickConnect feature’s extensive reach. This service provides devices with a unique subdomain that enables remote access, even bypassing firewalls and NAT configurations.

Due to the ease of obtaining these subdomains through Certificate Transparency logs, adversaries can readily enumerate exposed Synology devices. QuickConnect domains often contain identifiable names or locations, raising privacy concerns and potentially making it easier for attackers to prioritize targets.

Mitigations and Recommended Actions

Synology has issued patches that effectively neutralize this vulnerability, covering both the SynologyPhotos and BeePhotos applications. Users should ensure they apply the following updates:

• For Synology DiskStation (DSM 7.2):

• Synology Photos 1.7 – Update to version 1.7.0-0795
• Synology Photos 1.6 – Update to version 1.6.2-0720

• For Synology BeeStation:

• BeePhotos 1.1 – Update to version 1.1.0-10053
• BeePhotos 1.0 – Update to version 1.0.2-10026

Alternatively, users can mitigate exposure by disabling QuickConnect, blocking ports 5000 and 5001, and disabling the SynologyPhotos or BeePhotos components if not actively in use.

Although these actions prevent internet-based exploitation, they do not secure devices within local networks, so a firmware update remains the most effective solution.

Conclusion

The CVE-2024-10443 vulnerability in Synology NAS devices showcases the need for proactive patching, particularly for high-value, internet-exposed assets. Synology users are urged to follow the recommended upgrade steps or apply alternative mitigation measures to secure their devices from exploitation. By addressing these vulnerabilities promptly, organizations can reduce the likelihood of unauthorized access, ransomware attacks, and data breaches on their network-attached storage devices.

Source:

https://www.cert-in.org.in

https://www.synology.com/en-global/security/advisory/Synology_SA_24_18

https://www.synology.com/en-global/security/advisory/Synology_SA_24_19

https://www.midnightblue.nl/research/riskstation

The post Critical Zero-Click Vulnerability in Synology NAS Devices Needs Urgent Patching appeared first on Cyble.

Blog – Cyble – ​Read More

• Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game hunting and double extortion attacks using the relatively new Interlock ransomware.  
• Our analysis uncovered that the attacker used multiple components in the delivery chain including a Remote Access Tool (RAT) masquerading as a fake browser updater, PowerShell scripts, a credential stealer, and a keylogger before deploying and enabling the ransomware encryptor binary. 
• We also observed that the attacker primarily used remote desktop protocol (RDP) to move laterally within the victim’s network, as well as other tools such as AnyDesk and PuTTY. 
• The attacker used Azure Storage Explorer, which leverages the utility AZCopy, to exfiltrate the victim’s data to an attacker-controlled Azure storage blob.  
• The timeline of the attacker’s activity, from the initial compromise stage until the deployment of ransomware encryptor binary, indicates their dwelling time in the victim’s environment was about 17 days.  
• Talos assesses with low confidence that Interlock ransomware is likely a new diversified group that emerged from Rhysida ransomware operators or developers, based on some similarities in the operators’ tactics, techniques, and procedures (TTPs) and in the ransomware encryptor binaries. 

Who is Interlock? 

Interlock first appeared in public reporting in September 2024 and has been observed launching big-game hunting and double extortion attacks. The group has notably targeted businesses in a wide range of sectors, which at the time of reporting includes healthcare, technology, government in the U.S. and manufacturing in Europe, according to the data leak site disclosure, indicating their targeting is opportunistic. 

Like other ransomware players in the big-game hunting space, Interlock also operates a data leak site called “Worldwide Secrets Blog,” providing links to victims’ leaked data, chat support for victims’ communications, and the email address, “interlock@2mail[.]co”.   

In their blog, Interlock claims to target organizations’ infrastructure by exploiting unaddressed vulnerabilities and claims their actions are in part motivated by a desire to hold companies’ accountable for poor cybersecurity, in addition to monetary gain. 

Recent attack methodologies 

Throughout the investigation into the Interlock ransomware attack, Talos observed several notable TTPs used by the attacker in each stage of the delivery chain. Talos assesses that the attacker was present in the victim’s environment for approximately 17 days, from the initial compromise until deployment and execution of the Interlock ransomware. 

Initial access 

The attacker gained access to the victim machine via a fake Google Chrome browser updater executable that the victim was prompted to download from a compromised legitimate news website.  When clicked, the fake browser updater executable “upd_2327991.exe” was downloaded onto the victim machine from a second compromised URL of a legitimate retailer. 

Execution 

Talos IR discovered the fake browser updater executable is a Remote Access Tool (RAT) that automatically executes an embedded PowerShell script when downloaded and run. The script initially downloads a legitimate Chrome setup executable “ChromeSetup.exe” to the victim machine’s applications temporary folder and established persistence by dropping a Windows shortcut file in the Windows StartUp folder with the file name “fahhs.lnk” configured to run the RAT every time the victim logs in, establishing persistence.  

The RAT executes the command “cmd.exe /c systeminfo” and collects information from victim machine, listed below:

Host Name		Time Zone
OS Name		Total Physical Memory
OS Version		Available Physical Memory
OS Manufacturer		Virtual Memory
OS Configuration		Max Size
OS Build Type		Virtual Memory: Available
Registered Owner		Virtual Memory: In Use
Registered Organization		Page File Location(s)
Product ID		Domain
Original Install Date		Logon Server
System Boot Time		Hotfix(s)
System Manufacturer		Network Card(s)
System Model		Connection Name
System Type		Status
Processor(s)		DHCP Enabled
BIOS Version		DHCP Server
Windows Directory		IP address(es)
System Directory		Hyper-V Requirements
Boot Device		System Locale

Then, the RAT encrypts the collected information in the memory stream. It establishes a secured socket to the command and control (C2) server hidden behind the attacker-controlled Cloudflare domain “apple-online[.]shop”, sends the encrypted data stream of victim machine information to the C2 server, and waits to receive the response.  

The RAT also allowed the attacker to execute two other PowerShell commands on the victim machine, which downloads the encrypted data blobs of a credential stealer “cht.exe” and a keylogger binary “klg.dll”, decrypts them with the passwords “jgSkhg934@kjv#1vkfg2S” and runs them. We observed that the keylogger is a DLL file that is run using the LOLBin “rundll32.exe”.  

Defense Evasion 

Talos IR observed that EDR was disabled on some of the compromised servers in the victim environment during the investigation. According to the indicators seen, Talos IR believes that the attacker could have either leveraged an EDR uninstaller tool or instrumented a vulnerable device driver Sysmon.sys (TfSysMon.sys) to disable the EDR on the victim machine. We also observed the attacker’s attempts to delete contents of the Event logs on some of the compromised systems.  

Credential Access 

The credential stealer discovered in this campaign is compiled in Golang. It enumerates the installed browser profiles on the victim machine and copies the Login data, Login State, key4.db, browser history and bookmarks files to the victim’s application profile temporary folder. The stealer then processes the data and uses SQL queries to collect the login information of victims’ online accounts along with the associated account URLs. Finally, the data is written to a file “chrgetpdsi.txt” in the user profile temporary folder.  

The keylogger DLL running on the victim machine is a tiny executable, which hooks to the victim machine keyboard and logs keystrokes in a file called “conhost.txt”, the same folder where the Keylogger was downloaded.  

Discovery 

The attacker ran PowerShell commands that are known indicators of pre-kerberoasting reconnaissance, a method used to obtain domain admin credentials. We assess with moderate confidence that a Kerberoasting attack was used to obtain accounts with higher privileges. 

(('AD_Computers: {0}' -f ([adsiSearcher]'(ObjectClass=computer)').FindAll().count)  
([adsisearcher]'(&(objectCategory=user)(servicePrincipalName=*))').FindAll() 

Lateral Movement 

Talos IR observed that the attacker primarily used Remote Desktop Protocol (RDP) and several compromised credentials to move between systems.  Further analysis showed that the attacker has also used AnyDesk and possibly LogMeIn to allow remote connectivity. We also spotted the installation of PuTTY on the compromised machines, which was likely used to move laterally to Linux hosts. We are not clear how these tools were dropped and executed on the infected machines. 

Sample RDP command executions observed during our analysis and with the redacted IP address details are shown below. 

mstsc /v 10.*.*.* 
.conhost.exe -d 10.*.*.*e$ 

Collection and Exfiltration  

The attacker executed storage-explorer, a tool that allows users to manage and interact with Azure Storage, and AzCopy, which allows users to copy files to a remote Azure storage, in the victim’s machine. We believe that the attacker used storage-explorer to navigate and identify sensitive information in the victim network and executed AzCopy to upload the data to the Azure storage blob according to network artifacts analysis. We were not able to confirm how the storage-explorer and AzCopy were delivered to the victim machine. 

Impact 

The attacker deployed the Interlock ransomware encryptor binary with the file name “conhost.exe”, masquerading as a legitimate file, onto the victim machine and stored it in a folder named with a single digit number (example: “3” or “4”) in the user profile application data temporary folder. When run, the ransomware encrypts the targeted files on the victim machine with the file extension “.Interlock” and drops the ransom note “!__README__!.txt” file in every folder containing files that the encryptor has attempted to encrypt. Talos IR also observed that the attacker configured the ransom note to display during interactive login, was pushed using Group Policy Objects (GPOs), a Windows utility that allows users to manage Windows operating systems and applications.  

In the ransom note, the attacker warns against attempting to recover the encrypted files and rebooting the affected machines. They also demand a response within 96 hours or else they threaten to release the victim’s data on their leak site and notify the media outlets, which could lead to financial and reputational damage.  

The ransom note includes the URL for an onion site where the affected victims can contact the operator to discuss the ransom demand and purchase the decryption keys using a unique company ID of sixty alphanumeric characters generated for each victim. 

Interlock ransomware analysis 

Talos observed that Interlock ransomware has both Windows Portable Executable (EXE) and the Linux executable (ELF) variants, indicating that the attacker is targeting both Windows and Linux machines.   

The Interlock ransomware encryption binary is a 64-bit executable, compiled on October 2, 2024. The ransomware appears on the victim’s machines in a packed executable format with the custom unpacker code located in its Thread Local Storage and several obfuscated stack strings in the binary which are decrypted during the runtime of the ransomware. 

When the ransomware runs on the victim machine it initializes the binary by loading custom structures, strings, and Application programming interface (API) functions. After the initialization, it enumerates the logical disk drives that are available on the victim machine. Initially, the ransomware checks for the drive letters “A” through “Z” and excludes the “C drive”. It picks the available logical drives and enumerates all the folders and files in them, encrypting the targeted files on the victim machine and appending the file extension “.interlock” on encrypted files. Once the logical drives are enumerated, the ransomware then enumerates and encrypts the files in the folders of the “C drive”.  

During this enumeration process, the ransomware excludes specific folders and file extensions on the victim machine from being encrypted. The operator hardcoded the folder and files extension exclusion list, shown below, in the Interlock binary.

Folder exclusion list of Windows Interlock variant:

$Recycle.Bin		Windows
Boot		$RECYCLE.BIN
Documents and Settings		AppData
PerfLogs		WindowsApps
ProgramData		Windows Defender
Recovery		WindowsPowerShell
System Volume Information		Windows Defender Advanced Threat Protection

File extension exclusion list of Windows Interlock variant:

.bat	.bin	.cab
.cmd	.com	.cur
.diagcab	.diagcfg	.diagpkg
.drv	.hlp	.hta
.ico	.msi	.ocx
.psm1	.src	.sys
.ini	.url	.dll
.exe	.ps1	Thumbs.db

The Linux variant of the Interlock ransomware performs a similar enumeration of directories and files, starting from the root directory, and encrypts the files excluding those that are in the file extension exclusion list hardcoded in the binary.

File extension exclusion list of Linux Interlock variant:

boot	.cfg	.b00
.v00	.v01	.v02
.v03	.v04	.v05
.v06	.v07	.t00

Interlock ransomware uses LibTomCrypt library, an open-source comprehensive, modular and portable cryptographic library for encryption.  The Windows Interlock ransomware variant uses the Cipher Block Chaining (CBC) encryption technique to encrypt the files on the victim machine whereas the Linux Interlock variant uses either CBC or RSA encryption technique. 

Encryption routine in Windows variant	Encryption routine in ELF variant

After encrypting each of the targeted files in the victim machine Interlock drops the ransom note “!__README__!.txt” file in each of the enumerated folders. 

Windows variant ransom note function	ELF variant ransom note function

We observed that the Windows Interlock variant creates a windows task name “TaskSystem” that runs at 8:00 PM daily on the victim machine as a SYSTEM user executing the configured command to run the ransomware, indicating the ransomware establishing the persistence.  

schtasks /create /sc DAILY /tn “TaskSystem” /tr “cmd /c cd “$Path of the Interlock binary” && “$command” /st 20:00 /ru system > nul

The ransomware has the capability to delete itself upon encrypting the targeted files, hiding the evidence of the encryption binary on the victim machine.  To delete the encryption binary in the Windows variant, Interlock ransomware has a tiny DLL binary embedded in the data section that is dropped into the user profile applications temporary folder with the file name “tmp41.wasd”.  

Then, “rundll32.exe” is used to execute the DLL’s export function, called “run”, which then executes the remove() function to delete the encryption binary.  

The Linux variant uses a similar technique to delete the encryptor binary from the victim machine, by executing the removeme function, which is an inline routine in the same encryptor binary.  

Interlock TTPs overlap with Rhysida Ransomware 

Talos assesses with low confidence that Interlock ransomware is a new diversified group that emerged from Rhysida operators or developers, based on some similarities in TTPs, tools, and the ransomware encryptor binaries’ behaviors. 

We discovered code overlaps in the binaries of Interlock and Rhysida ransomware samples. Notably, the files and folders exclusion list hardcoded in the Windows variant of the Interlock ransomware has similarities with the exclusion list in Rhysida ransomware, reported by Talos in an August 2023 Threat Advisory. 

Additionally, the Interlock ransomware encryptor with the filename “conhost.exe” was earlier seen in Rhysida ransomware attacks, along with overlaps in TTPs and tools including PowerShell scripts, AnyDesk, and PuTTY, based on a CISA #StopRansomware advisory report on Rhysida Ransomware. Furthermore, both Rhysida and Interlock operators use AzCopy to exfiltrate the victim’s data to an attacker-controlled Azure storage blob, an old but uncommon technique. 

Finally, Interlock and Rhysida deliver ransom notes with a similar theme, where they portray themselves as a helpful partner notifying the victim of a breach and offering to help rectify it. This is in contrast to other prolific and sophisticated cyber groups, such a Black Basta and ALPHV, whose ransom notes demand payment, threaten, and attempt to intimidate the victim.  

Rhysida ransom note.

Interlock ransom note.

Interlock’s possible affiliation with Rhysida operators or developers would align with several broader trends in the cyber threat landscape, which Talos reported in our 2022 and 2023 Year in Review reports. We observed ransomware groups diversifying their capabilities to support more advanced and varied operations, and ransomware groups have been growing less siloed, as we observed operators increasingly working alongside multiple ransomware groups. 

Coverage 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64114, 64113, 64189 and 301042. 

ClamAV detections are also available for this threat: 

Win.Ransomware.Interlock-10036524-0 

Unix.Ransomware.Interlock-10036662-0 

Win.Trojan.Kryptik-10036729-0 

Win.Downloader.Kryptik-10036730-0 

Indicators of Compromise 

IOCs for this threat can be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More

The desire to remain anonymous online is as old as the internet itself. In the past, users believed hiding behind a nickname meant they could badmouth their neighbors on local forums with impunity. Now, such trolls can be identified in seconds. Since those early days, technology has taken a quantum leap: distributed networks, anonymous browsers, and other privacy tools have emerged. One of these tools, which was heavily promoted a decade ago by former NSA contractor Edward Snowden, is the Tor Browser, where “TOR” is an acronym for “The Onion Router”.

But in today’s world, can Tor truly provide complete anonymity? And if it doesn’t, should we just forget all about anonymity and rely on a regular browser like Google Chrome?

How Tor users are deanonymized

If Tor is new to you, check out our vintage article from way back when. There, we answered some common questions: how the browser ensures anonymity, who needs it, and what people usually do on the dark web. In brief, Tor anonymizes user traffic through a distributed network of servers, called nodes. All network traffic is repeatedly encrypted as it passes through a number of nodes between two communicating computers. No single node knows both the origin and destination addresses of a data packet, nor can it access the packet’s content. OK, short digression over — now let’s turn to the real security threats facing anonymity enthusiasts.

In September, German intelligence services identified a Tor user. How did they do it? The key to their success was data obtained through what’s called “timing analysis”.

How does this analysis work? Law enforcement agencies monitor Tor exit nodes (the final nodes in the chains that send traffic to its destination). The more Tor nodes the authorities monitor, the greater the chance a user hiding their connection will use one of those monitored nodes. Then, by timing individual data packets and correlating this information with ISP data, law enforcement can trace anonymous connections back to the end Tor user — even though all Tor traffic is encrypted multiple times.

The operation described above, which led to the arrest of the administrator of a child sexual abuse platform, was possible partly because Germany hosts the highest number of Tor exit nodes — around 700. The Netherlands ranks second with about 400, and the US comes in third with around 350. Other countries have anywhere from a few to a few dozen. International cooperation among these top exit-node countries played a significant role in deanonymizing the child sexual abuse offender. Logically, the more nodes a country has, the more of them can be state-monitored, increasing the likelihood of catching criminals.

The Tor Project responded with a blog post discussing the safety of their browser. It concludes that it’s still safe: the de-anonymized individual was a criminal (why else would authorities be interested?), using an outdated version of Tor and the Ricochet messaging app. However, Tor noted it wasn’t given access to the case files, so their interpretation regarding the security of their own browser might not be definitive.

This kind of story isn’t new; the problem of timing attacks has long been known to the Tor Project, intelligence agencies, and researchers. So although the attack method is well-known, it remains possible, and most likely, more criminals will be identified through timing analysis in the future. However, this method isn’t the only one: in 2015, our experts conducted extensive research detailing other ways to attack Tor users. Even if some of these methods have become outdated in the forms presented in that study, the principles of these attacks remain unchanged.

“Generally it is impossible to have perfect anonymity, even with Tor”.

This phrase opens the “Am I totally anonymous if I use Tor?” section of the Tor Browser support page. Here, the developers provide tips, but these tips can at best only increase the chances of remaining anonymous:

• Control what information you provide through web forms. Users are advised against logging in to personal accounts on social networks, as well as posting their real names, email addresses, phone numbers, and other similar information on forums.
• Don’t torrent over Tor. Torrent programs often bypass proxy settings and prefer direct connections, which can de-anonymize all traffic — including Tor.
• Don’t enable or install browser plugins. This advice also applies to regular browsers, as there are many dangerous extensions out there.
• Use HTTPS versions of websites. This recommendation, incidentally, applies to all internet users.
• Don’t open documents downloaded through Tor while online. Such documents, the Tor Project warns, may contain malicious exploits.

With all these recommendations, the Tor Project is essentially issuing a disclaimer: “Our browser is anonymous, but if you misuse it, you may still be exposed”. And this actually makes sense — your level of anonymity online depends primarily on your actions as a user — not solely on the technical capabilities of the browser or any other tool.

There is another interesting section on the Tor support page: “What attacks remain against onion routing?” It specifically mentions possible attacks using timing analysis with the note that “Tor does not defend against such a threat model”. However, in a post about the German user’s de-anonymization, the developers claim that an add-on called Vanguard, designed to protect against timing attacks, has been included in Tor Browser since 2018, and in Ricochet-Refresh since June 2022. This discrepancy suggests one of two things: either the Tor Project hasn’t updated its documentation, or it’s being somewhat disingenuous. Both are problematic because they can mislead users.

So what about anonymity?

It’s important to remember that Tor Browser can’t guarantee 100% anonymity. At the same time, switching to other tools built on a similar distributed node network structure is pointless, as they are equally vulnerable to timing attacks.

If you’re a law-abiding individual using anonymous browsing simply to avoid intrusive contextual ads, secretly shop for gifts for loved ones, and for other similarly harmless purposes, the private browsing mode in any regular browser will probably suffice. This mode, of course, doesn’t offer the same level of anonymity as Tor and its counterparts, but it can make surfing the net a bit more… well, private. Just make sure you fully understand how this mode works in different browsers, and what it can and can’t protect you from.

In addition, all of our home security solutions include Private Browsing. By default, this feature detects attempts to collect data and logs them in a report but doesn’t block them. To block data collection, you need to either enable Block data collection in the Kaspersky app or activate the Kaspersky Protection plugin directly in the browser.

Besides this, our protection can also block ads, prevent the hidden installation of unwanted apps, detect and remove stalkerware and adware, and remove traces of your activity in the operating system. Meanwhile, the special component Safe Money provides maximum protection for all financial operations by conducting them in a protected browser in an isolated environment and preventing other apps from gaining unauthorized access to the clipboard or taking screenshots.

Double VPN

You can also stay anonymous on the internet using Kaspersky VPN Secure Connection that support Double VPN (also known as multi-hop). As the name suggests, this technology allows you to create a chain of two VPN servers in different parts of the world: your traffic first passes through an intermediary server, and then through another. Double VPN in Kaspersky VPN Secure Connection uses nested encryption — the encrypted tunnel between the client and the destination server runs inside a second encrypted tunnel between the client and the intermediary server. Encryption in both cases is only performed on the client side, and data is not decrypted on the intermediary server. This provides an additional layer of security and anonymity.

Double VPN is available to users of Windows and Mac versions of Kaspersky VPN Secure Connection. Before enabling Double VPN, make sure that the Catapult Hydra protocol is selected in the application settings: Main → Settings (gear icon) → Protocol → Select automatically, or Catapult Hydra.

After that, you can enable Double VPN:

1. Open the main application window.
2. Click the Location drop-down to open the list of locations of VPN servers.
3. Click the Double VPN
4. Select two locations and click Connect.

You can add your Double VPN server pair to Favorites by clicking the Add to Favorites button.

Congratulations! Now your traffic is encrypted more securely than usual — but remember that these traffic encryption methods are not intended for illegal activities. Double VPN will help you conceal personal information from data-gathering sites, avoid undesirable ads, and access resources unavailable in your current location.

Kaspersky official blog – ​Read More