Oct 07, 2019 11:50:00

'Unknown' attack technique that modifies Chrome and Firefox is newly discovered

by

geralt

Kaspersky researchers have discovered a unique attack technique that takes a fingerprint of TLS-encrypted traffic by modifying Firefox and Chrome. This approach is believed to be due to the Russian hacking group “ Turla ”, which conducts APT attacks, but security researchers also clearly understand what the hacker group uses for this purpose. It is not.

COMpfun successor Reductor infects files on the fly to compromise TLS traffic | Securelist
https://securelist.com/compfun-successor-reductor/93633/

Russian hacker group patches Chrome and Firefox to fingerprint TLS traffic | ZDNet
https://www.zdnet.com/article/russian-hacker-group-patches-chrome-and-firefox-to-fingerprint-tls-traffic/

In this attack, hackers first infect a target Trojan named “Reductor” to allow remote access. Then, install a unique digital certificate on each host and allow it to intercept TLS traffic on the host, and then patch the pseudo-random number feature in Chrome and Firefox. Pseudorandom numbers are used for TLS negotiation when making HTTPS connections. Hackers use a specially crafted pseudo-random number to add a small fingerprint at the start of a TLS connection.

Many hackers target browsers to take advantage of their vulnerabilities, and almost no movement like Turla has been observed. According to Kaspersky researchers, the hacker's behavior does not break the user's encrypted traffic, and there is no detailed explanation of the reason for the behavior.

Reductor infecting the target allows hackers to gain full control of the device and monitor the network traffic of the target in real time. However, it is possible that the target will notice a Trojan horse and delete it. If you remove the Trojan, hackers can monitor the targeted traffic without reinstalling the browser. From this, it is considered that hackers have come up with a new method as a second means of monitoring targets.

by deepanker70

Kaspersky researchers have found that early Reductor infections occurred via downloads from legitimate websites. Researchers say that it is easy to replace legitimate software with malware-infected software if the download is done via HTTP, even if you do not have Reductor infected files. On the other hand, this seems to mean that the hacker group is under the control of the ISP or is infringing. ESET (PDF file) reports that Turla infringed ISP in 2018.

In addition, Turla is said to be one of the most advanced hacker groups as of 2019, and in the past it has also been found that malware was spread over communication satellites.