Russian hackers group Turla has exploited the vulnerabilities in Chrome and Firefox browser in order to track secure web traffic, they have taken the exploitation to the next level, Kaspersky an internet security company has detailed the Russian group’s motives, according to the details the group uses Fingerprint, TLS-encrypted web traffic by modifying Chrome and Firefox.
The process is quite sophisticated, the attack first infects the system with remote access Trojan, then it modifies the browsers using that Trojan, it starts installing own certificates in order to intercept TLS traffic from the host, it then patches the pseudo-random number generation that negotiates TLS connections.
This lets them add a fingerprint to every TLS action and track encrypted traffic passively. Some analysts argue that why the hackers patch the browsers is not clear, because if you have infected the system with Trojan remotely then you don’t need to patch the browser to spy on traffic,
However, there approach seems to leech around the browser permanently, if the users remove the Trojan from their system the patched browser is still working for the hackers and if users do not reinstall their browsers for long they will be able to track browser’s traffic indefinitely until the browser is reinstalled.
The Russian group Trula is believed to have a back from Russian government said Engadget, the initial targets for the malware were observed in Russia and Belarus. This group is quite sophisticated; it had infected several internet providers in Europe in the past. The group might be using this approach for political targets.