Now Russians Can Snoop Via Chrome and Firefox!

Security solutions company Kaspersky suggests that a known hacker group is adding patches to the browsers to snoop via the TLS connections route

 

Donald Trump can relax! For now, it turns out that he is not the only one into whose affairs the Russians can meddle into. It appears that a counter-espionage unit from up north is using a novel technique to snoop into pretty much everyone who uses a web browser by locally installing patches on the Google Chrome and Firefox that modifies its internal configurations.

“The end goal of these modifications is to alter the way the two browsers set up HTTPS connections, and add a per-victim fingerprint for the TLS-encrypted web traffic that originates from the infected computers,” says a report published in ZDnet.com.

The report quotes a study by cyber security solutions company Kaspersky to suggest that hackers were infecting victims with a remote access trojan named Reductor through which they had the ability to modify the two browsers. Such attacks were attributed to Turla, a group of hackers believed to have the support of the Russian administration.

The company says it had uncovered the malware infection with the ability to decode TLS traffic without the need to intercept or manipulate it way back in April. The company feels that the new malware is connected to an earlier trojan that went by the name COMpFun.

TLS or transport layer security and its predecessor the secure sockets layer (SSL) are cryptographic protocols designed to secure communications over a computer network like the world wide web. Several versions of the protocols have been used in applications ranging from browsing to email and instant messaging.

Kaspersky claims that the process of infecting a browser involves two steps. The first is to install their own digital certifications on the host that allows hackers to intercept any TLS traffic originating from that machine. The second is to modify Chrome and Firefox installation to patch their PRNG functions.

The PRNG or pseudo-random number generation are functions used while generating random numbers required for the process of negotiating and establishing new TLS handshakes for the highly secure HTTPS connections. However, with hackers are using these tainted PRNG functions to add small patches at the start of every new connection, says the Kaspersky report.

“As we don’t know what happens on the ‘server’ side, we can only rely on ‘client’ analysis. In order to distinguish handshakes of interest from all the TLS traffic, the campaign operators firstly have to decrypt this ‘client hello’ field. This means the campaign operators somehow need to have access to the target’s traffic,” says the report.

It goes on to suggest that Turla has, in the past, shown innovative ways to accomplish its goals such as using hijacked satellite infrastructure. “This time, if we’re right that Turla is the actor behind this new wave of attacks, then with Reductor it has implemented a very interesting way to mark a host’s encrypted TLS traffic by patching a browser without parsing network packets.”

Looks like the Russians have provided some more headaches for the security experts around the world. With the US elections round the corner, maybe we’re wrong. Trump out to get worried once again, especially since the Democrats are pushing for his impeachment over the Ukraine connection!


TAGS: Security, Browser, Chrome, Firefox, Kaspersky