Researchers have now discovered new malware which hijacks victims’ interactions with HTTPS web pages by repairing the virtual random number generator. The number is used in establishing an encrypted and secure connection. The connections permit the actors the ability to spy on the user’s browser activity and also to install rogue digital certificates.
As the ‘’S’’ in HTTPS stands for secure, and it implies information exchanged among a browser and a website is not reachable to third parties, but there are still several ways by which a skillful and high-profile hacking group can interfere in this process.
Reductor is a tool designed for such interference and was used by cyberespionage in mainly CIS countries, usually on diplomatic entities. The reductor fundamentally monitor employees’ internet traffic. The modules found had Remote Administration Tool (RAT) functions, and in it the malware capabilities were unlimited to a great extent.
Now here, the question arises that what makes the reductor so smart and witty? How were attackers capable of installing malware on the targeted systems? And how they managed to avoid the HTTPS protections? Let’s read the remaining part of the post and get answers to all these questions.
How is the attack been made?
The reductor distributors have two primary attack vectors. One is comprised of downloading modules through COMPfun malware, which was previously attributed to the Russian-speaking threat actor. Another vector was known as trickier. In this vector, the attacker could patch clean software on the fly while it is downloaded from legitimate websites to users’ systems.
The software installers came from the warez sites, which provides free downloads of pirated software. However, the original installers are available on those sites that are not infected. Thus they would end up on the victim’s system carrying malware. Researchers also concluded that replacement happens on the fly and the reductor’s operators do have some control over the target’s network channel.
Once the reductor found its way to the victim’s device, it manipulates installed digital certificates, patching browser’s virtual random number generators used to encrypt the traffic which is coming from the user to HTTPS websites.
To recognize victims whose traffic is hijacked, the criminals will add unique hardware and software-based identifiers for each and will mark them with specific numbers in a not so random number generator. When the browser on the infected device is being patched so the threat actor receives all the actions and information performed with the browser. In this entire process, the victim remains unaware of anything that is happening around.
The researchers believed that they hadn’t seen malware developers interacting with browser encryption in such a way ever before. This way has allowed the attackers to stay well under the radar system for quite a long time. Moreover, the level of the attack method reveals that the developers of the reductor malware are highly skillful and professional.
The security experts, however, argue on one point that they couldn’t find any technical clues which might attach this malware to any known threat actor. They have given an alert to all the organizations while dealing with sensitive data and also warn them to go through regular security checks.
What happens after infection?
After a system is infected so, reductor moves on to surveil the internet communications. It does this by patching a browser’s virtual random number generators, used to encrypt the traffic between the user’s browser and a website through HTTPS. It also means that instead of attempting to manipulate the network packets themselves, the adversaries target the Chrome and Firefox browsers and their virtual random number generation functions.
The researchers express their views on it. They said that; attackers don’t touch the network packets at all, but instead, developers studied the Firefox source code and Chrome binary code to patch the corresponding pseudo-random number generation functions during the process memory.
The pseudo-random number generation (PRNG) is used throughout the cryptography. It is used during the making of a secure HTTPS connection between a client and a server or website and browser. After both browsers and websites negotiate a TLS handshake, the random number generator creates a random number, which is known as a pre-master secret. The number is used to secure the connection, but it needs to be unpredictable for the connection to become secure.
Making the random predictable
It is the point where the Reductor steps in and can change the unpredictable into predictable one. To manipulate the targeted system’s PRNG functions, the malware creator’s uses a small embedded Intel instruction-length dissembler as per the part of the attack sequence. By doing so, they place a small victim ID inside the TLS packet.
The unique ID which the reductor includes in the handshake of each TLS session helps in identifying the origin of the session on the wire while adding and removing the root certificates, which allows on decrypting the intercepted communications. In other words it means that the group is interested in stealth access to all encrypted communication authentication, content, credentials, and, most importantly, highly sensitive information.
Moreover, to maintain the persistent access, this vast variety of cryptography library function patches and TLS making along with root certification access and modification, shows a potential attempt to ease the TLS MitM attacks.
What should be done?
The cyber security statistics reveals that 230,000 malware are invented on a daily basis. To prevent yourself from being affected by malware, it is recommended to follow the tips described below:
● Perform regular security audit of an organization’s IT structure.
● Adopt proven security solutions equipped with web threat protection, which identifies and blocks threats that attempt to use encrypted channels the undetected system.
● Adopt essential endpoint protection and implement a corporate-grade security solution that detects advanced threats on the network level at an early stage.
● Provide the security operation center team with access to the latest threat intelligence, to remain updated with the new and emerging tools and techniques used by threat actors and cybercriminals.
● Conduct security awareness training sessions for staff, so they become aware of the risks associated with pirated software and how to differentiate them.
● According to phishing stats, 48% of the malicious email are work files. Don’t respond to any such emails which you are suspicious of.
With ever-increasing threats of cybersecurity, it is therefore essential to stick to all the recommendations and advice given by experts and follow them daily.
Targeted at Smart Cities, Autonomous Mobility, and other related use cases, IoT Armour offers Zero Trust security for critical infrastructure and connected devices and IoT network.
Singapore: Cybersecurity startup Block Armour today announced the release of IoT Armour, its Blockchain-enabled security solution designed specifically for connected devices, related critical infrastructure and IoT networks. With a focus on securing the growing web of connected devices, people and data, IoT Armour provides a next-gen military-grade security system to protect smart cities, autonomous mobility technology devices, and other IoT systems against cyber-threats.
The breakthrough new solution leverages digital signature based identity and authentication for humans, machines and data,, thereby securing connected devices tightly ring-fencing critical infrastructure. IoT Armour delivers an enhanced Software-Defined Perimeter using private permission Blockchain and TLS technology. Digital signatures allow users to authenticate and authorize recognized devices within an IoT network, securing communication between such devices within the network and preventing untoward or unauthorized devices to hack into these now protected networks.
“The rapidly growing world of connected smart devices presents enormous security risks and the existing security solutions are unable to keep pace, scale up and address the security challenges faced by the emerging IoT world”, states Abhijit Dhongade, CTO of Block Armour. “Emerging technology offers opportunities to secure sensor networks, IoT devices and smart infrastructure in bold new ways. And we are proud to lead the way.”
Utilizing Blockchain-based digital signatures, IoT Armour offer Zero Trust security for critical IoT infrastructure, connected devices as well as communication networks.
Block Armour, the creator of IoT Armour, is exploring collaboration with multiple manufacturers, government agencies, and IoT solution vendors to build out next-gen ultra-secure IoT systems.
For more information, be sure to visit http://www.IoTArmour.com.
About Block Armour
Accelerated by Airbus Bizlab and rated among the top 25 cybersecurity startups globally by Accenture, Block Armour is an India and Singapore-based venture focused on harnessing the potential of Blockchain technology to counter growing cybersecurity challenges in bold new ways. Its Secure Shield platform leverages Software-Defined Perimeter, Blockchain and TLS technology to deliver military-grade security systems targeted at protecting critical infrastructure and connected devices against evolving cyber-threats.