Russia based hacker group alters the Chrome and Firefox web security protocols by using a different technique, never used before for the purpose.
Turla, a bunch of hackers suspected to be the product of Russian government agency, modifies the Chrome and Firefox to track secure web traffic. In a bid to modify the internal components of Chrome and Firefox, they use the technique of patching along with remote access trojan.
This made all things done for them to fingerprint TLS- encrypted web traffic there.
As reported by the multinational anti-virus provider Lab Kaspersky, this process involves the steps of infecting the system with a remote access trojan, named Reductor. Thereby, they installed their version of web security certificates.
This alters the line of action for original SSL certificates and consequently modifies the HTTP protocol of both victims, Chrome and Firefox.
In order to communicate with TLS, the Transport-Layer-Security, they patch the pseudo-random number generation in it, which lets them allow to track each TLS action and its encrypted web traffic. The structure of this fingerprint follows the model as,
- The first four-byte (cert_hash) is made up by using all of the Reductor’s digital certificates. For all of them, the hash’s initial value is its version number. Then they are sequentially XORed with all four-byte values from the serial number. All the calculated hashes are XOR-ed with each other to build the final one. The intruders know this value for every victim because it’ s made using their digital certificates.
- The second four-byte (hwid_hash) based on the victim’s hardware properties: Video BIOS date and version, SMBIOS date and version, and hard drive volume ID. The attackers know this value for every TLS action because it’s also used for the C2 communication protocol.
- The last three fields are encrypted using the first four bytes – original Pseudo-Random Number XOR key. At each round, the XOR key alters with the MUL 0x48C27395 MOD 0x7FFFFFFF algorithm. As a consequence, the bytes remain pseudo-random, but unique host ID encrypted inside in it.
This newfangled technique of Turla left many questions for web security experts. The reason why the hackers made this kind of exploitation is not clear as well.
ZD.net suggested that, Ideally Infecting with a trojan is enough to trace the fingerprints of TLC actions but the intruders offer a secondary surveillance mechanism to their operation by using random number generation, which dodges those particular users who are capable of removing a trojan from their browser but are sloppy when it comes to reinstalling their browser.
Prior to this attack, in January 2018, a report from cybersecurity firm ESET unveiled that Turla had compromised four ISP’s before in Eastern Europe and the former Soviet Union occupied space, for the very reason of tainting downloads and infecting malware their existing legitimate files.
Featured image: AP/Mark Lennihan