Russian Hackers Allegedly Modifying Chrome and Firefox, Secretly Tracks Secure Web Traffic

Coding
Lewis Ngugi

A Russian hacker group has been purportedly using a new technique that involves patching installed browsers like Chrome and Firefox to modify their internal settings and components.

Reports say that the attack is aimed to alter the way Chrome and Firefox setup HTTPS connections via adding an individual fingerprint for the TLS-encrypted web traffic coming from the infected computers.

Many hackers are known to exploit vulnerabilities in operating systems and browsers; however, not many are known to be so brave as to touch web browsers directly.

According to a report published by Kaspersky, the hackers are hijacking the browsers with a remote access Trojan named Reductor. First, they install their very own digital certificates to the infected hosts, granting access to intercept and TLS traffic coming from the host.

Afterward, they modify the browsers in order to patch their pseudo-random number generation (PRNG) functions. This is believed to be a method used to establish new TLS handshakes for HTTPS connections.

Simply put, the hackers are piggybacking on the security features of Chrome and Firefox browsers in order to assign a unique fingerprint that identifies users and computers. This is then used to monitor TLS traffic without a problem.

Due to the complexity of the operation, the blame is being put on Turla, a renowned hacker group that is allegedly operating under the protection of the Russian Government.

Kaspersky also pointed out that this is something the group is capable of doing. In addition, this isn't the first time the group has been involved in a controversial hacking incident as well.

Back in January 2018, a report from the cyber-security firm ESET uncovered that Turla hacked and compromised about four ISPs in Eastern Europe and the former Soviet space. The reported attack was put in motion to download and add malware to various legitimate files.

Now, Kaspersky believes that the January incident is somewhat similar to the current dilemma, leading them to strongly believe that Turla is behind the attack.

It is yet unclear how, when, or why this attack had happened; however, there are theories on what the group's motives are.

One of the most apparent theories is that of a source from ZDNet which stated that Turla is doing this to passively observe HTTPS traffic across the web. The same theory was also mentioned by Kaspersky in their statement.

Another plausible explanation is that the hackers are utilizing the unique TLS fingerprint as a secondary surveillance mechanism. It serves as a fail-safe plan in case the victims found and removed the Reductor trojan.

Nonetheless, Kaspersky reported that whatever the motive is, it's not breaking a user's encrypted traffic. Now, the Russian group is yet to release a statement, confirming or denying these allegations.

Experts are giving the public a warning though since the presence of Reductor RAT on a device would allow hackers to fully access and control the device in real-time.

© 2024 iTech Post All rights reserved. Do not reproduce without permission.

More from iTechPost

Real Time Analytics