A Russian hacker group has been spotted using a patch to modify Chrome and Firefox to spy on users. But how were they able to spy on websites having a secured HTTPs connection.

By the way, Google has long been pushing for more websites to use HTTPS. This also, they have considered and implemented as a ranking criteria on Google search result list on website ranking.

HTTPS purpose simply is to help prevent attackers from interfering with the data transferred between a website and your browser.

Nonetheless, the hackers did spy on HTTPS websites and had access seemingly secured information using Chrome and Firefox browsers.

The Cyber-espionage Hacker Group Responsible



The novel attack has been blamed on the hacker group “Turla” for its used detailed attempts was revealed by Kaspersky.

Turla with other given names such as Snake, Uroburos, Krypton, Venomous Bear, Waterbug, Group 88, and Turla Team. Is a well-known hacker group believed to operate under the protection of the Russian government. Moreover, the Estonian Intelligence Services with evidence, associated Turla with the Russian Federal Security Service (FSB) and Foreign Intelligence Service SVR.

Turla is associated with Agent.btz and believed to be behind several infamous cyber attacks. They were behind the RUAG espionage incident, an attempted compromise of the Swiss Defense Ministry. Also, the group has been known to hijack and use telecommunication satellites to deliver malware to remote areas.

Turla has also been involved in the social media cycle. Using a Turla’s watering hole campaign (an updated Firefox extension abusing Instagram). They were able to insert a malware on Instagram comments section. This was seen on a photo posted by Britney Spears on Instagram.
How the Russian Hackers were able to Modify Chrome and Firefox

According to the report done by Kaspersky, Turla uses a remote access trojan named Reductor for the attack. The process involves two steps.
Step 1: First, they install their own digital certificates to each infected host. After this is done, it would allow the hackers to intercept any TLS traffic originating from the host.
Step 2: Next, they modify the browser installation to patch their pseudo-random number generation (PRNG) functions.

These functions are used when generating random numbers needed for the process of establishing new TLS handshakes for HTTPS connections.

In other terms, the attack first infects the system with remote access Trojan and thereafter modifies the browsers using the same trojan. Then, it starts installing own certificates in order to intercept TLS traffic from the host. Finally, it patches the pseudo-random number generation that establish TLS connections.

After a successful operation, a fingerprint to every TLS action is added and can track encrypted traffic passively.

How to remove the trojan



Certainly, the Turla hackers are both sophisticated and smart and did anticipate a user approach to removing the malware. Probably, once a user discovered the trojan, the next point of action is to uninstall. Doing so will not get rid of the malware entirely.

The only way to actually remove the trojan completely would be to do a fresh install of the browser. Anyways, the intended targets are located in Russia and Belarus which maybe related to politics. Still, it could be use for other reasons and you need to be aware and brace up for impact.

Final words

Consequently, Turla has been one of today’s most sophisticated cyber hacker group, by a wide margin. Their skills and techniques are years ahead of their competition. This is not the first time Turla has alters a browser component to deploy malware on infected hosts and probably not the last.

Turla is sophisticated and enabling the Russian hackers to modify Chrome and Firefox with malware and their government backings. So, what really can you do to protect yourself? Always read security updates and tips from your Antivirus provider and security experts.

Always try to keep yourself safe and updated on the latest threats out there on the public domain.

Source: https://techablaze.com/blog/russian-hackers-modify-chrome-and-firefox-to-spy-on-users/