Companies like Google, Microsoft, Yahoo and many other are consistently forcing the use of HTTPS by web sites to secure the web traffic and preventing the attackers from hijacking the data transfered from end user’s browser to the website. But it appears that Russian Hackers are one step ahead and found a way to track secure HTTPS web traffic, as reported by Kaspersky.
Chrome and Fire Fox Patched by Turla , Russian Hackers
Hackers normally do not modify the web browsers except exploiting the vulnerabilities inherent in them.But now one of the hacker group is entering into a new paradigm and take it to step further. Recently Antivirus company, Kaspersky, has revealed tactics employed by Russian hacker group, Turla. Turla has modified Google Chrome and Mozilla FireFox and fingerprinted TLS encrypted web traffic.
There is a reason why companies like Google are trying to push for more websites to use HTTPS is because it helps to secure your web traffic. It helps to prevent attackers from interfering with the data transferred between the website and your browser. Unfortunately, a report from Kaspersky has revealed that Russian hackers might have found a way to track secure web traffic.
This is not the first time when Turla modifies a browser component to deploy malware on infected hosts. The Russian hacker group has previously installed a back-door Firefox add-on in victims’ browsers back in 2015, which it used to monitor the user’s web traffic.You can find further details at bitdefender’s document.
How Turla achieves attack?
The Russian hacker group Turla ,uses a two step process to achieve this. First infects the systems with a remote access trojan (RAT) . After that using the capabilities of RAT they modify/patch the web browsers like Google Chrome and Mozilla FireFox. First they install their own digital certificates in order to intercept TLS traffic originating from the host. Then afterwards modify the Chrome and Firefox web browsers by patching their pseudo-random number generation (PRNG) functions. Patching the pseudo-random number generation is necessary as it negotiates TLS connections. These functions are needed for the process of negotiating and establishing new TLS handshakes for HTTPS connections.This allows them to add finger print to every TLS action and passively track the encrypted traffic. Further details can be seen as released by kaspersky.
Two Step Deployment Process, Install RAT then Patch web Browser (Chrome, firefox)
I removed the RAT, Am I safe now?
All of these actions modifies how web browser runs and due to these modifications, even with the use of HTTPS, Hackers are able to fingerprint the victim and allow them to track users across websites. Now the things get really interesting as there was no attempt to break the encryption on the websites, but Turla, Russian Hacker group employs this as a secondary surveillance tool. So if the victim even some how discovers the RAT that is being installed and remove it , even then hackers can continue to watch and passively spy on victim’s web activity.
The question arises that why the hackers would need to adopt such complex mechanism is not entirely clear. If hacker is able to successfully compromise a computer with a remote control trojan, then there is don’t need to patch the browser to spy on traffic. However according to ZDNet, it might be a failsafe mechanism . This allows intruders to spy on web traffic for victims who eventually removed the trojan, but not cautious enough to reinstall their web browsers.
How to get rid of it?
The only way to actually completely remove this eaves dropping framework is to do a fresh install of the web browser from authentic source. If you only remove the RAT even then the attacker is able to listen and monitor the web traffic originating from the victim browser.
Who are the current Targets of Turla?
So far, as per reports of the activity. The intended initial targets are located in Russia and Belarus where it is believed that it is done to spy on political targets and dissidents. The group is sophisticated enough to have successfully compromised Eastern European Internet providers in the past to infect legitimate downloads. It is fairly possible that ISPs may compromise again, but this time, instead of the Mosquito trojan, Turla deployed Reductor.
This Article covers
chrome, encryption, firefox, gear, google, internet, mozilla, reductor, russia, security, surveillance, tls, turla ,Https Compromised,https hacked,https security compromised