Redirecting you to
Contact Us
Podcast Oct 22, 2019

Root Causes 46: Patching Browsers for TLS Fingerprinting Attacks

In a new variant on a known attack, a Russian Advanced Persistent Threat has begun applying patches to Chrome and Firefox to enable TLS fingerprinting even after the malware is removed from a system. To learn more about this new development, join our hosts as they explain how this attack works, its significance, and where the criminals may go from here.

  • Original Broadcast Date: October 22, 2019

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    So, let's talk about - - we're going to talk today about a very interesting new attack that, uh, it's a TLS fingerprinting attack, but what's interesting about it is it’s a different approach and a different take, and it's good for people to understand it. And also, I think maybe there might be the possibility of this concept being extended into other things.

    So, the news, and I actually learned about this from ZDNet on October 4, is that the Russian hacker group, Turla group, which is widely considered to be - - well, widely to be believed to be a state-sponsored, you know, advanced, persistent threat, and is also one of the most advanced APTs in the world. Turla group it was found was actually patching Chrome and Firefox in order to install a persistent TLS fingerprinting mechanism. So, maybe for starters, we should explain what TLS fingerprinting is.

    So, what TLS fingerprinting is, is, oh, a TLS session is encrypted by its nature, right? TLS/SSL means that it's encrypted at the host. It's decrypted at the server, or, you know, at the two ends and there's not really any way for any man in the middle to see what's going on and so, you can't really make sense of the encrypted traffic. But you can learn things about the encrypted traffic. Like who's talking to whom? How long are they talking? How frequently? What are the patterns behind their conversations? What are the larger patterns of the people they talk to? And so, TLS fingerprinting in and of itself is a form of threat. People can use it. Especially people like APTs can use it to collect information about people's online usage patterns, which they can then use to design their own attacks or to get more clarity on what's going on with the targets that they're seeking to harm. And the fundamental way that this is accomplished is that people actually install their own recognizable, very short, recognizable sequences of bits in those TLS sessions and then when they see TLS sessions with those sequences of bits, they know it's one of theirs that they're tracking and they know they know who the unique individual is. And you know, this is what's going on with this attack from the Turla group. They get these - - they put their malware on a system and then the malware causes these - - sorry, the malware turns around and it installs these patches into the browsers and what the browsers do is the browsers put these little signifiers. And so, TLS tracking, it's not, certainly not the most common or the most talked about technique, but that in and of itself is not a new technique. What's new and interesting in this case is this concept of actually patching the browsers.

  • Jason Soroko

    So, taking a look at this, it seems to be - - and this is a concept that I have talked about years and years ago, this whole idea of, and I hate to attribute this always to Russia, but it is what it is. You know the common sort of, the funny internet memes that go around, you know, in Soviet Russia, you know, the soup eats you or whatever it is.

  • Tim Callan

    Right.

  • Jason Soroko

    I think there's an analogy here where things are a little different over there, or a lot different, with respect to internet service providers. In North America, most of the west, you know, internet service providers are typically following the law and are not hand-in-hand with criminal groups. In other words, organized crime in the west wants to be able to take over an ISP, I don't know if it's impossible, but it definitely seems to be more difficult. In Russia - -

  • Tim Callan

    Certainly, they are doing it without the cooperation of the ISP, right? That would be because they simply outwitted or out cyber engineered, if you will, the ISP.

  • Jason Soroko

    That’s correct. That's exactly correct. It's typically some kind of a hijacking of a legitimate ISP’s processes.

  • Tim Callan

    Right.

  • Jason Soroko

    Whereas in Russia, it seems to be that criminal organizations are able to become their own ISPs and therefore control the internet in some interesting way and that seems to be, Tim, when I first read this article by my mind went to, well, how the heck are they getting these tainted patches to Chrome and to Firefox and that seems to be the distribution method. So, if we get to the root cause, it seems to be that since you are the ISP, you can then serve whatever content you want to the intended victim and that's how the patch is actually getting to the victim is because essentially, it's a massive, massive man in the middle attack because of the fact that the criminal organization runs the ISP.

  • Tim Callan

    Now you kind of say - - now, one of the things that people say is, they say, well, ok, under these circumstances, if you already can put your malware on the machine, why do you need to patch Chrome and Firefox at all? And one of the ideas that has been advanced is that, well, what if the malware gets cleaned off? So, it's like a second set of malware, right? I get my malware on there. I install my patches and if I respond to the malware, it gets cleaned off, but my patches remain in place and I still get at least some of the benefits that I had.

  • Jason Soroko

    Persistence is an incredibly important topic if you're a bad guy. You want to remain on that victim as long as possible and this is certainly one way of doing it. I mean, it's, a heavy-handed way of doing it, but it does seem though that the victims of this we're within that region.

  • Tim Callan

    Yeah. And now it makes me wonder, and, of course, I don't understand enough about the internals of either of these browsers to know the answer to this, but it makes me wonder if there are other threats that this patching technique could deliver. So, TLS fingerprinting is what's being done here, but once I can start changing the operation of the browser, couldn't I do all kinds of things?

  • Jason Soroko

    This goes all the way back to the original coding of the Zeus virus, right? So the packaging of that was essentially a form of a memory injection into the process of the live browser. It was using a similar technique to the way that say something like Windows would update a video driver without having to have you to reboot.

  • Tim Callan

    Right.

  • Jason Soroko

    And so that exact memory hooking process injection technique was used for illegitimate purposes to be able to then inject new logic within a browser. So, I don't know if you guys remember back in the day when men in the browser was a common term. That's typically what it was related to and most malware of that time, and even still to this day, is just techniques that are similar to that.

  • Tim Callan

    Right? Cause techniques never go away. Right? Once someone finds something it's always out there looking for another opportunity to be useful again and people never forget these things, and, you know, if we stop guarding against them, then they always come back. The other thing that I think is interesting about this, of course, is, you know, again, Turla is considered to be very, very advanced, but the way we always see these things go and, you know, in a recent podcast, you used the example of the Mirai Botnet, and you just gave us another example a few sentences ago, what happens is first to get somebody who's really on the spearhead who starts using these attacks and then as other people learn about them, a broad variety of advanced users start to use them, and then they start to package them up and then they become commonplace and this is the path that we go down. So today it's Turla. One wonders if tomorrow it will be a half dozen APTs and, in two years, it'll be 200.

  • Jason Soroko

    That seems to be the trend, especially if source code, you know, leaks out of whatever organization. It's happened before. It will happen again. I think for this particular kind of attack, though, it does seem to have benefited greatly from that control over the ISP, obviously, which will limit that attack to parts of the world where ISPs are not as heavily regulated as they are here.

  • Tim Callan

    Yeah. Or maybe just, again, where they're not - - where there's some kind of vulnerability. So, what you'll see is, you know, it also will be, these APTs will be motivated to try to find failure points and vulnerabilities in these ISPs. Right? So, they can do it without their cooperation.

  • Jason Soroko

    Yeah. And as we've reported, not that long ago, we're now even worried about content delivery networks also having issues as well, which has become a very standardized way of people serving content. It's not just the big guys doing it anymore, it's almost everyone. So that's perhaps another route. Any form of proxy, which is to generalize it, is a target here.

  • Tim Callan

    Now we can also expect, of course, that the teams are Chrome and Firefox, right? The Google and the Zilla teams are going to be trying to thwart this, right? They saw these headlines for sure. They're well aware of this and they're going to be looking at their own systems and trying to understand, is there a way I can prevent this attack or mitigate this attack in the future?

  • Jason Soroko

    My question and I did not research this before we started to talk, Tim, but I think it might be worth taking a look around, are Chrome and Firefox patches not code signed? Right.

  • Tim Callan

    They are. That I know as a point of fact, and they have been for a long, long time, because these were identified as vulnerabilities. Like back in the 2000s they started code signing their auto updates for exactly that reason. Um, but, obviously, somehow, that could have been circumvented as it was in this case. Well, I guess in this case, they had malware on the computer and once there's malware on the machine, you can do all kinds of stuff.

  • Jason Soroko

    Yes.

  • Tim Callan

    What they do. Here's the process. They use the ISP to install the malware. They use the malware to install the patch.

  • Jason Soroko

    Thanks, Tim. That was the important point that I missed.

  • Tim Callan

    So, yeah. So, certainly, it makes it trickier for somebody like Google or Firefox to try to find a way around this, but, maybe not impossible. Like these are well-resourced organizations that do this work a lot and they might have a trick up their sleeve that I just don't know about.

  • Jason Soroko

    Wow. If you're a customer, even unwittingly of a malicious ISP, you've probably got all kinds of remote access Trojans on your machine anyway.

  • Tim Callan

    Yeah. Yeah. And that's one of the points is somewhere along the line, right, if your ISP is compromised, if you're machine is compromised, if there's malware on your machine, it's almost a point of, well, you're sunk, anyway. The question is just how bad and in what way. And so, you know, we are seeing that here, but, again, I think what was interesting about this is this kind of belt and suspenders technique they used where they said, ok, look, the malware’s gonna get cleaned, but we're still gonna have our stuff working on our behalf and the way they got there was very unusual and very interesting.

  • Jason Soroko

    This gets down to the root cause part of the podcast here, but, but I think the overlying message about TLS fingerprinting that you did a really nice introductory job of re-explaining it, we're seeing more and more of it and for people in the PKI industry, it's something to keep an eye on.

  • Tim Callan

    Yeah. So anyway, that's it. Just another sort of a little bulletin from us and we'll keep our eye on this and if the story turns out to have some legs or, you know, another variant, we may be back to talk about it, but that's where it sits right now.

  • Jason Soroko

    Hey, thanks, Tim. This is a great update. I like some of these short dispatches from the field and with a little bit more of an explanation beyond the headlines.

  • Tim Callan

    Exactly. Right. So that's our dispatch from the field, Listeners. Thank you for joining us. Thank you as always, Jay.

  • Jason Soroko

    Thank you.

  • Tim Callan

    Okay. This has been Root Causes.