Russian Malware 'Patches' Chrome and Firefox To Fingerprint TLS Traffic (zdnet.com) 13
An anonymous reader quotes ZDNet:
A Russian cyber-espionage hacker group has been spotted using a novel technique that involves patching locally installed browsers like Chrome and Firefox in order to modify the browsers' internal components. The end goal of these modifications is to alter the way the two browsers set up HTTPS connections, and add a per-victim fingerprint for the TLS-encrypted web traffic that originates from the infected computers...
According to a Kaspersky report published this week, hackers are infecting victims with a remote access trojan named Reductor, through which they are modifying the two browsers. This process involves two steps. They first install their own digital certificates to each infected host. This would allow hackers to intercept any TLS traffic originating from the host. Second, they modify the Chrome and Firefox installation to patch their pseudo-random number generation (PRNG) functions. These functions are used when generating random numbers needed for the process of negotiating and establishing new TLS handshakes for HTTPS connections.
Turla hackers are using these tainted PRNG functions to add a small fingerprint at the start of every new TLS connection.
The attack is being attributed to Turla, "a well-known hacker group believed to operate under the protection of the Russian government," ZDNet reports. And though the remote-access trojan already grants full control over a victim's device, one theory is the modified browsers offer "a secondary surveillance mechanism" if that trojan was discovered and removed. Researchers believe the malware is installed during file transfers over HTTP connections, suggesting an ISP had been compromised, according to the article.
"A January 2018 report from fellow cyber-security firm ESET revealed that Turla had compromised at least four ISPs before, in Eastern Europe and the former Soviet space, also with the purpose of tainting downloads and adding malware to legitimate files."
According to a Kaspersky report published this week, hackers are infecting victims with a remote access trojan named Reductor, through which they are modifying the two browsers. This process involves two steps. They first install their own digital certificates to each infected host. This would allow hackers to intercept any TLS traffic originating from the host. Second, they modify the Chrome and Firefox installation to patch their pseudo-random number generation (PRNG) functions. These functions are used when generating random numbers needed for the process of negotiating and establishing new TLS handshakes for HTTPS connections.
Turla hackers are using these tainted PRNG functions to add a small fingerprint at the start of every new TLS connection.
The attack is being attributed to Turla, "a well-known hacker group believed to operate under the protection of the Russian government," ZDNet reports. And though the remote-access trojan already grants full control over a victim's device, one theory is the modified browsers offer "a secondary surveillance mechanism" if that trojan was discovered and removed. Researchers believe the malware is installed during file transfers over HTTP connections, suggesting an ISP had been compromised, according to the article.
"A January 2018 report from fellow cyber-security firm ESET revealed that Turla had compromised at least four ISPs before, in Eastern Europe and the former Soviet space, also with the purpose of tainting downloads and adding malware to legitimate files."
they did not mention Windows (Score:5, Informative)
Re: (Score:1)
Russian Hackers are infecting victims browsers? (Score:2)
Pardon me for asking, but what was the names of the Operating Systems and what was the method of infection.
securelist.com [securelist.com]: “Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected ho
Re: (Score:2)
Why are they so butthurt. You lost.
Grow up, bitches.
Hahahahaahahahaaaa
What about Opera and Edge? (Score:1)
You missed the actual gem (Score:5, Insightful)
The infection seems to have happened due to downloads from http. Which implies that the source was not the place the (infected) software was downloaded from but that the data stream has been redirected and the intended file replaced with the malicious one. Which in turn means that they either had help from an ISP or that the ISP was hacked before (you can read TFA for details).
In other words, finally stop downloading from http.
No, verification of checksums isn't going to cut it, because if I can manipulate the file you download, manipulating the website to display the matching sha1 is trivial. Unless you have a secondary source for the checksum (and who does?), you're essentially comparing bogus data with bogus data.
Some "Secondary" Thoughts (Score:2)
Secondary Surveillance or Reinfect
Because when the certs are tainted you could not only decrypt the traffic but change it or am I wrong, so it can be used to inject malious data into a TLS secured connection and not only pure-http.
Defense
a.) when you are redoing an infected computer, wipe it completely, check all thumb drives, ext. drives, burned cd, etc..
b.) Do not get programs through unsecured http lines
c.) Use of signature check - nearly nobody does it
d.) Use of virustotal - At least a lowlevel check. H
Re: (Score:2)
We have attribution done by people selected using these advertisements (or someone who cooperates with such people like ZD Net in the original article): https://edition.cnn.com/2019/1... [cnn.com]
The fact that the primary source (Kaspersky in this case) has said nothing on the origins of the infection is irrelevant when there is a need to promote the Fear the Red Under Our Beds narrative. Neither have proper primary sources like the NCSC: https://www.ncsc.gov.uk/news/t... [ncsc.gov.uk] . In fact, reading the tec