A Russian hacker group has been spotted using a patch to modify Chrome and Firefox to spy on users. But how were they able to spy on websites having a secured HTTPs connection.
By the way, Google has long been pushing for more websites to use HTTPS. This also, they have considered and implemented as a criteria for ranking on Google search result list .
HTTPS purpose simply is to help prevent attackers from interfering with the data transferred between a website and your browser.
Nonetheless, the hackers did spy on HTTPS websites and had access seemingly secured information using Chrome and Firefox browsers.
The Cyber-espionage Hacker Group Responsible
The novel attack is blamed on the infamous hacker group “Turla”. Its latest exploit on Chrome and Firefox was revealed by Kaspersky with details of findings.
Turla with other given names such as Snake, Uroburos, Krypton, Venomous Bear, Waterbug, Group 88, and Turla Team. With many names comes many faces and yes, the faces are always fierce and ugly. Nonetheless, Turla is a well-known hacker group believed to operate under the protection of the Russian government. Also, the Estonian Intelligence Services linked Turla with the Russian Federal Security Service (FSB) and Foreign Intelligence Service SVR.
Turla has been known to be associated with Agent.btz and believed to be behind several infamous cyber attacks. Just to list a few; they were behind the RUAG espionage incident, an attempted compromise of the Swiss Defense Ministry. Also, the group has been known to hijack and use telecommunication satellites to deliver malware to remote areas.
Turla has also been involved in the social media cycle. Consequently, by using a Turla’s watering hole campaign (an updated Firefox extension abusing Instagram). They were able to insert a malware on the comment section of popular pages of celebrities’ Instagram handle. This was seen on a photo posted by Britney Spears on Instagram.
How the Russian Hackers were able to Modify Chrome and Firefox
According to the report done by Kaspersky, Turla uses a remote access trojan named Reductor for the attack. The process involves two steps.
Step 1: First, they install their own digital certificates to each infected host. Once done, it would allow the hackers to intercept any TLS traffic originating from the host.
Step 2: Next, they modify the browser installation to patch their pseudo-random number generation (PRNG) functions.
These functions are used when generating random numbers needed for the process of establishing new TLS handshakes for HTTPS connections.
In other terms, the attackers first infect the system with remote access trojan and thereafter modifies the browser using the same trojan. As a result, Turla starts installing its own certificates in order to intercept TLS traffic from the host. Finally, it patches the pseudo-random number generation that establish TLS connections.
Likewise, after a successful operation, a fingerprint to every TLS action is added and can track encrypted traffic passively. This was what grant the Russian hackers access to modify Chrome and Firefox.
How to remove the trojan
Certainly, the Turla hackers are both sophisticated and smart and did anticipate a user approach to removing the malware. Probably, once a user discovered the trojan, the next point of action is to uninstall. Doing so will not get rid of the malware entirely.
Hence, the only way to actually remove the trojan completely would be to do a fresh install of the browser. Because, by uninstalling just the malware, the attackers can still access the user encrypted connection.
Although, the intended targets are located in Russia and Belarus which maybe politically motivated. Still, the attack could be use for other aims and anyone using Chrome or Firefox is prone.
Consequently, Turla has been one of today’s most sophisticated cyber hacker group, by a wide margin. Moreover, their skills and techniques are years ahead of their competition. Notwithstanding, this is not the first time Turla has alters a browser component to deploy malware on infected hosts. And probably, this also might not be their last.
Truly, Turla is sophisticated but having a government backing makes them formidable.
First of all, what really can you do to protect yourself from Turla?
First, always read security updates and tips from your Antivirus provider and security experts. Do also earnest on the power of information to keep yourself abreast of the latest threats and precautions.
Above all, always try to keep yourself safe and updated on the latest threats out there on the public domain.
Additional resource: To know more on why hackers do the things they do and where they usual hang out. The dark web is sure a place to explore and find out more about the hackers ecosystem. But before you should dive into the dark web, please read first this article.
For questions or suggestions, we are a click away.
Please leave a comment below.