Tuesday, March 2, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Russian hacker group patches Chrome and Firefox to fingerprint TLS traffic

October 6, 2019
in Internet Security
Russian hacker group patches Chrome and Firefox to fingerprint TLS traffic
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Image: Check Point // Composition: ZDNet

A Russian cyber-espionage hacker group has been spotted using a novel technique that involves patching locally installed browsers like Chrome and Firefox in order to modify the browsers’ internal components.

The end goal of these modifications is to alter the way the two browsers set up HTTPS connections, and add a per-victim fingerprint for the TLS-encrypted web traffic that originates from the infected computers.

You might also like

Singapore eyes more cameras, technology to boost law enforcement

Free cybersecurity tool aims to help smaller businesses stay safer online

Judge approves $650m settlement for Facebook users in privacy, biometrics lawsuit

Attack blamed on Turla

This type of novel attack has been attributed to Turla, a well-known hacker group believed to operate under the protection of the Russian government.

According to a Kaspersky report published this week, hackers are infecting victims with a remote access trojan named Reductor, through which they are modifying the two browsers.

This process involves two steps. They first install their own digital certificates to each infected host. This would allow hackers to intercept any TLS traffic originating from the host.

Second, they modify the Chrome and Firefox installation to patch their pseudo-random number generation (PRNG) functions. These functions are used when generating random numbers needed for the process of negotiating and establishing new TLS handshakes for HTTPS connections.

Turla hackers are using these tainted PRNG functions to add a small fingerprint at the start of every new TLS connection. The structure of this fingerprint goes as follows, as explained by Kaspersky researchers in a report released today:

  • The first four-byte hash (cert_hash) is built using all of Reductor’s digital certificates. For each of them, the hash’s initial value is the X509 version number. Then they are sequentially XORed with all four-byte values from the serial number. All the counted hashes are XOR-ed with each other to build the final one. The operators know this value for every victim, because it’s built using their digital certificates.
  • The second four-byte hash (hwid_hash) is based on the target’s hardware properties: SMBIOS date and version, Video BIOS date and version and hard drive volume ID. The operators know this value for every victim because it’s used for the C2 communication protocol.
  • The latter three fields are encrypted using the first four bytes – initial PRN XOR key. At every round, the XOR key changes with the MUL 0x48C27395 MOD 0x7FFFFFFF algorithm. As a result, the bytes remain pseudo random, but with the unique host ID encrypted inside.

Post-removal tracking mechanism?

Kaspersky didn’t have an explanation of why Turla hackers were doing this. Whatever it was, it wasn’t for breaking a user’s encrypted traffic.

The Reductor RAT that was present on users’ devices would have allowed hackers full control over a victim’s device already, including the ability to watch a victim’s network traffic in real-time.

However, one possible explanation is that hackers were using the TLS fingerprint as a secondary surveillance mechanism in case victims found and removed the Reductor trojan, but didn’t reinstall their browsers.

With the TLS fingerprint in place, the Turla group would be able to spot the victim’s encrypted traffic stream while it connected to various websites across the web.

This “theory” that ZDNet heard from several security researchers would also means that Turla would be in a position to passively observe HTTPS traffic across the web. Coincidentally, this is confirmed by the Kaspersky report.

Kaspersky researchers said they tracked the initial Reductor trojan infections to software downloads victims made from legitimate websites or “warez” sites.

Researchers said those websites never hosted Reductor-infected files, so the only way Turla hackers modified those files was while they were in transit across the internet.

Because the downloads also took place via HTTP, replacing the legitimate files with the tainted ones would have actually been a pretty trivial task, Kaspersky said.

However, this would mean that Turla hackers also had control or had compromised an internet service provider, in order to sniff all traffic and replace the legitimate files with tainted ones.

But this isn’t a stretch for the Russian hackers, and they’ve been seen doing the very same before. A January 2018 report from fellow cyber-security firm ESET revealed that Turla had compromised at least four ISPs before, in Eastern Europe and the former Soviet space, also with the purpose of tainting downloads and adding malware to legitimate files.

It is possible that those ISP compromises happened again, but this time, instead of the Mosquito trojan, they deployed Reductor.

Normal Turla procedures

All in all, Turla has been one of today’s most sophisticated hacker groups, by a very wide margin. The tricks and techniques the group uses are years ahead of everyone else.

The group has been known to hijack and use telecommunications satellites to deliver malware to remote areas of the globe, has developed malware that hid its control mechanism inside comments posted on Britney Spears’ Instagram photos, has developed email server backdoors that received commands via spam-looking messages, and has hacked other countries’ cyber-espionage hacker groups.

This is also not the first time when Turla alters a browser component to deploy malware on infected hosts. The group has previously installed a backdoored Firefox add-on in victims’ browsers back in 2015 [1, 2], which it used to keep an eye on the user’s web traffic.

Patching Chrome and Firefox just to be able to track a victim’s HTTPS traffic while they’ve been kicked off a workstations fits with their previous pattern of highly clever hacks and techniques.

Credit: Zdnet

Previous Post

Multiple Traders Predict an Incoming Altseason in Crypto

Next Post

Predicting Resistance in Pseudomonas aeruginosa With Machine Learning

Related Posts

Singapore eyes more cameras, technology to boost law enforcement
Internet Security

Singapore eyes more cameras, technology to boost law enforcement

March 2, 2021
Free cybersecurity tool aims to help smaller businesses stay safer online
Internet Security

Free cybersecurity tool aims to help smaller businesses stay safer online

March 2, 2021
Judge approves $650m settlement for Facebook users in privacy, biometrics lawsuit
Internet Security

Judge approves $650m settlement for Facebook users in privacy, biometrics lawsuit

March 1, 2021
These four new hacking groups are targeting critical infrastructure, warns security company
Internet Security

These four new hacking groups are targeting critical infrastructure, warns security company

February 28, 2021
Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill
Internet Security

Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill

February 28, 2021
Next Post
Predicting Resistance in Pseudomonas aeruginosa With Machine Learning

Predicting Resistance in Pseudomonas aeruginosa With Machine Learning

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Ask the Expert: What’s New in Azure Machine Learning | Ask the Expert
Machine Learning

Ask the Expert: What’s New in Azure Machine Learning | Ask the Expert

March 2, 2021
Can India beat the global AI challenge? Can we avoid huge job extinction here? | by Yogesh Chauhan | Jan, 2021
Neural Networks

Can India beat the global AI challenge? Can we avoid huge job extinction here? | by Yogesh Chauhan | Jan, 2021

March 2, 2021
Singapore eyes more cameras, technology to boost law enforcement
Internet Security

Singapore eyes more cameras, technology to boost law enforcement

March 2, 2021
Why do companies fail to stop breaches despite soaring IT security investment?
Internet Privacy

Why do companies fail to stop breaches despite soaring IT security investment?

March 2, 2021
Tweaking Algorithmic Filtering to Combat Fake News
Data Science

Tweaking Algorithmic Filtering to Combat Fake News

March 2, 2021
Machine Learning Cuts Through the Noise of Quantum Computing
Machine Learning

Machine Learning Cuts Through the Noise of Quantum Computing

March 2, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Ask the Expert: What’s New in Azure Machine Learning | Ask the Expert March 2, 2021
  • Can India beat the global AI challenge? Can we avoid huge job extinction here? | by Yogesh Chauhan | Jan, 2021 March 2, 2021
  • Singapore eyes more cameras, technology to boost law enforcement March 2, 2021
  • Why do companies fail to stop breaches despite soaring IT security investment? March 2, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates