Posted on October 7, 2019 at 2:36 PM
Russian Hackers have a New Technique of Fingerprinting TLS Traffic through Internet Browsers
The neverending game of hackers vs. security researchers and developers continues, but this time, it appears that hackers might be taking the lead.
Recently, it was reported that a Russian hacking group, known as Turla, uses a new technique to patch certain browsers and modify their components. The purpose of the move is to change the way browsers such as Firefox and Chrome set up HTTPS connections. The result is the addition of a unique fingerprint for the TLS traffic coming from their victims’ devices.
Researchers know who is behind it
As mentioned, researchers stated that the hacking group responsible for the new method is a well-known Russian cyber-espionage group called Turla. The group is known for two things — working under the Russian government, and coming up with clever methods to achieve their goals.
As for the new campaign, it was discovered by security researchers at Kaspersky, who published a report about it last week. In the report, researchers explained that hackers use a trojan known as Reductor to infect victims and modify Chrome and Firefox browsers.
The process, as described, consists of two steps, with the first one being the installation of hackers’ own digital certificates to the infected devices and the interception of TLS-encrypted traffic originating from these devices.
Then, the second step includes the modification of Firefox and Chrome installations and the introduction of a patch to their RPNG (Pseudo-Random Number Generation) function.
PRNG function is used by browsers when there is a need to generate random numbers, which is usually needed when the browser is establishing a new TLS connection with HTTPS.
After gaining control over PRNG functions, hackers are adding a fingerprint which appears at the start of each number. As a result, they can track every new TLS connection.
The motive
Kaspersky researchers’ report did not specify what the hackers are gaining from this, as they do not use the technique for breaking the encryption. In other words, their exact motives remain unclear for now.
Furthermore, the Reductor trojan, which the researchers have found on the hacked devices, allows hackers to take full control over the devices if the hackers wanted it. This also includes the ability to monitor users’ activities and traffic in real-time, meaning that the new technique would not bring anything new to the table.
However, one possibility is that the hackers simply wanted a back-up surveillance mechanism, in case that the trojan was found and removed. Of course, this would only work if the users failed to reinstall their browsers.
This might be the reason, as the TOL fingerprint allows Turla to watch as the victim connects to various websites. Multiple security research groups came to this conclusion, including Kaspersky itself, although this still remains only a theory.
Where did the infection come from?
According to Kaspersky researchers, the source of the infection comes from various software downloads that the victims made, even if they did so on legitimate websites.
They came to this conclusion after tracking the Reductor trojan, which is interesting, since ‘warez’ sites never hosted files infected with Reductor. In other words, the files were not infected while on the websites, but rather during transit, as they were being downloaded by the victims.
However, since the downloads took place on HTTP instead of HTTPS, replacing the original files with the infected ones should not have been a huge problem for a hacking group such as Turla.
Of course, that would also indicate a much bigger issue, such as the possibility that Turla also managed to hack an ISP (Internet Service Provider), so that it could sniff their users’ traffic.
Of course, something like that is entirely possible when it comes to Russian hackers, as the same was done before. Back in January 2018, an online security company known as ESET reported that at least four ISPs were already compromised by this very same hacking group.
They did so throughout Eastern Europe, mostly in the former Soviet region, with pretty much the same goal of replacing legitimate files with the infected ones during the download itself. With that in mind, it is hardly a stretch to assume that they may have done the same thing again.
After all, Turla is considered to be among the most sophisticated hacking groups today, standing high above most other groups. They are known for using advanced tricks and techniques that no other group can come up with for years to come.
Some of their previous achievements include hijacking of telecommunications satellites, which are then used for infecting even some of the most isolated areas with malware. They also created malware that used Britney Spears’ Instagram photos to hide its control mechanisms.
Next, they created an email server backdoor that was receiving instructions and commands from spam messages. Finally, they even hacked other hackers, working for other countries’ governments.