Tag Archives: CIA

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #20 – CouchPotato

CouchPotato enabled CIA agents to remotely use the tool to stealthily collect RTSP/H.264 video streams (RTSP/H.264: Real Time Streaming Protocol is a network control protocol designed for use in entertainment and communication systems and is a control mechanism for streaming media servers).

The tool provided CIA operatives with a number of options:

  • Collect the media stream as a video file (AVI);
  • Capture still images (JPG) of frames from the media stream;
    • This function was capable of being triggered only when there was change (threshold setting) in the pixel count from the previous capture;

The tool uses FFmpeg to encode and decode video and images and Real Time Streaming Protocol connectivity. The CouchPotato tool works stealthily without leaving any evidence on the attacked systems facilitated by ICE v3 “Fire and Collect” loader.

This is an in-memory code execution (ICE) technique that runs malicious code without the module code being written to the disk.

Neither Wikileaks, nor the leaked user guide explains how the agency penetrates the attacked systems, but as many CIA malware, exploits and hacking tools have already leaked in the Vault 7 publications, the agency has probably used CouchPotato in combination with other tools.” – TAD Group

The 10th August 2017 WikiLeaks release overview:

“Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.”

One document was published alongside this release:

CouchPotato v1.0 — User Guide

Previous and subsequent Vault 7 WikiLeaks CIA document dump synopses are available via the Quick Reference Resource: WikiLeaks CIA Vault 7 Leaks

ENDS 

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #18 – UCL / Raytheon

In November 2014, Raytheon announced its acquisition of Blackbird Technologies. This acquisition expanded Raytheon’s special operations capabilities in several areas including:

  • Tactical Intelligence
  • Surveillance and reconnaissance
  • Secure tactical communications
  • Cybersecurity

Raytheon stated that their existing capabilities were now augmented by the Blackbird Technologies acquisition “across a broad spectrum of globally dispersed platforms and communications networks”. Blackbird Technologies was synergistic with Raytheon’s existing expertise and capabilities specifically in the areas of:

  • Sensors
  • Communications
  • Command & Control

This document dump contains suggested PoC’s for malware attack vectors. Raytheon Blackbird Technologies acted as a “kind of “technology scout” for the Remote Development Branch (RDB) of the CIA”.

They analysed malware attacks in the public domain and then gave the CIA recommendations for malware projects. These suggestions by RBT to the CIA were in line with the agencies stated objectives. These malware recommendations benefitted from data derived from “test deployments” in the field by other malware actors. Weaknesses in legacy deployments were assessed and designed out in the CIA versions.

The 19th July 2017 WikiLeaks release overview:

Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field. Raytheon Blackbird Technologies acted as a kind of “technology scout” for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.

Forty One (41) documents accompanied this release:

  1. 11 September, 2015 (S//NF) CSIT 15083 — HTTPBrowser
  2. 11 September, 2015 (S//NF) CSIT 15085 — NfLog
  3. 11 September, 2015 (S//NF) Symantec — Regin – Stealthy Surveillance
  4. 11 September, 2015 (S//NF) FireEye — HammerToss – Stealthy Tactics
  5. 11 September, 2015 (S//NF) VB — Gamker
  6. 4 September, 2015 (S//NF) SentinelOne – Rombertik
  7. 4 September, 2015 (S//NF) FireEye – Window into Russian Cyber Ops
  8. 4 September, 2015 (S//NF) MalwareBytes — HanJuan Drops New Tinba
  9. 4 September, 2015 (S//NF) Cisco — Rombertik
  10. 4 September, 2015 (S//NF) RSA — Terracotta VPN
  11. 28 August, 2015 (S//NF) Dell SecureWorks — Sakula
  12. 28 August, 2015 (S//NF) CSIT 15078 — Skipper Implant
  13. 28 August, 2015 (S//NF) Symantec — Evolution of Ransomware
  14. 28 August, 2015 (S//NF) CSIT 15079 — Cozy Bear
  15. 28 August, 2015 (U) McAfee DLL Hijack — PoC Report
  16. 28 August, 2015 (U) HeapDestroy – DLL Rootkit — PoC Report
  17. 21 August, 2015 (S//NF) TW — WildNeutron
  18. 21 August, 2015 (S//NF) NMehta — Theories on Persistence
  19. 21 August, 2015 (S//NF) CERT-EU — Kerberos Golden Ticket
  20. 21 August, 2015 (S//NF) VB Dridex 2015 — Dridex
  21. 14 August, 2015 (S//NF) Symantec — Black Vine
  22. 14 August, 2015 (S//NF) CSIR 15005 — Stalker Panda
  23. 14 August, 2015 (S//NF) CSIT 15016 — Elirks RAT
  24. 14 August, 2015 (S//NF) Eset — Liberpy
  25. 14 August, 2015 (S//NF) Eset — Potao
  26. 7 August, 2015 (U) Sinowal Web Form Scraping — PoC Report
  27. 7 August, 2015 (S//NF) MIRcon — Something About WMI
  28. 7 August, 2015 (U) PoC Report — Anti-Debugging and Anti-Emulation
  29. 7 August, 2015 (S//NF) SY 2015 — Butterfly Attackers
  30. 7 August, 2015 (S//NF) Symantec — ZeroAccess Indepth
  31. 7 August, 2015 (S//NF) CI 2015 — PlugX 7.0
  32. 7 August, 2015 (U) Mimikatz Password Scanning Analysis — PoC Report
  33. 7 August, 2015 (S//NF) TrendMicro — Understanding WMI Malware
  34. 4 August, 2015 (S//NF) CanSecWest 2013 — DEP/ASLR Bypass Without ROP/JIT
  35. 26 June, 2015 (U) Software Restriction Policy: A/V Disable — PoC Report
  36. 26 June, 2015 (U) WMI Persistence Proof of Concept — Supplemental Report
  37. 29 May, 2015 (U) Mimikatz PoC Report
  38. 29 May, 2015 (U) Pony / Fareit PoC Report
  39. 26 January, 2015 (U) SIRIUS Pique Proof-of-Concept Delivery — User-Mode DKOM — Final PoC Report
  40. 29 December, 2014 (U) SIRIUS Pique Proof-of-Concept Delivery — Direct Kernel Object Manipulation (DKOM) — Interim PoC Report
  41. 21 November, 2014 (U) Direct Kernel Object Manipulasiton (DKOM) — Proof-of-Concept (PoC) Outline 21 November, 2014

Previous and subsequent Vault 7 WikiLeaks CIA document dump synopses are available via the Quick Reference Resource: WikiLeaks CIA Vault 7 Leaks

ENDS 

 

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #19 – Dumbo

Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations. *

Vault7 Projects - Images - AAC Dumbo - PAG

The 3rd August 2017 WikiLeaks release overview:

Today, August 3rd 2017 WikiLeaks publishes documents from the Dumbo project of the CIA. Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations. Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem. It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator. By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation. Dumbo is run by the field agent directly from an USB stick; it requires administrator privileges to perform its task. It supports 32bit Windows XP, Windows Vista, and newer versions of Windows operating system. 64bit Windows XP, or Windows versions prior to XP are not supported.

Log Excerpt:

Vault7 Projects - Images - AAC Dumbo - LOG

Eight documents were also published alongside this release:

Dumbo v3.0 — Field Guide

Dumbo v3.0 — User Guide

Dumbo v2.0 — Field Guide

Dumbo v2.0 — User Guide

Dumbo v1.0 — TDR Briefing

Dumbo v1.0 — User Guide

Dumbo Epione v1.0 — TDR Briefing

Dumbo Epione v1.0 — User Guide

Previous and subsequent Vault 7 WikiLeaks CIA document dump synopses are available via the Quick Reference Resource: WikiLeaks CIA Vault 7 Leaks

ENDS 

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #17 – Imperial: Achilles, SeaPea, & Aeris

These leaked documents relate to a CIA project codenamed ‘Imperial’, they include details of three CIA hacking tools and implants that have been designed to compromise computers running Apple Mac OS X and different Linux distributions. *

The three hacking tools are:

  1. Achilles – A tool to trojanize a legitimate OS X disk image (.dmg) installer;
  2. SeaPea – A Stealthy Rootkit For Mac OS X Systems;
  3. Aeris – An Automated Implant For Linux Systems.

The 27th July 2017 WikiLeaks release overview:

Today, July 27th 2017, WikiLeaks publishes documents from the Imperial project of the CIA. Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution. Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support – all with TLS encrypted communications with mutual authentication. It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants. SeaPea is an OS X Rootkit that provides stealth and tool launching capabilities. It hides files/directories, socket connections and/or processes. It runs on Mac OSX 10.6 and 10.7.

Vault7 Projects - Images - HackRead Imperial

Three documents were also published alongside this release:

Achilles — User Guide

The malware has been tested to be compatible with Intel processors running 10.6 OS.

SeaPea — User Guide

This hack was written in 2011. It is listed as “tested” on OS X 10.6/Snow Leopard and Mac OS X 10.7/Lion. The malware works by assigning processes to any one of the three categories namely: Normal, Elite, and Super-Elite. ** The commands in SeaPea are executed as Elite processes.

Aeris — Users Guide

The coding for the Aeris hacking tool was done in C and it affects the following systems:

Debian Linux 7 (i386), Debian Linux 7 (amd64), Debian Linux 7 (ARM), Red Hat Enterprise Linux 6 (i386), Red Hat Enterprise Linux 6 (amd64), Solaris 11 (i386), Solaris 11 (SPARC), FreeBSD 8 (i386), FreeBSD 8 (amd64), CentOS 5.3 (i386) and CentOS 5.7 (i386). ***

Previous and subsequent Vault 7 WikiLeaks dumps synopses are available on WikiLeaks and also see further analysis of Imperial at HackRead and The Hacker News.

ENDS

Header image courtesy of The Hacker News (Twitter @TheHackersNews) & in-article image courtesy of HackRead (Twitter @HackRead)

* Content courtesy of Pierluigi Paganini “Security Affairs” article  WikiLeaks published another batch of classified documents from the CIA Vault 7 leak, it includes details of the Imperial project

** References from content courtesy of HackRead – Twitter @HackRead

*** References from content courtesy of The Hacker News – Twitter @TheHackersNews

“Dark Web Criminal Mastermind Kingpin Puppet Master…” Middle Class White Kids

Alexandre Cazes (no a.k.a. yet that I am aware of, but I guess in bad taste a.k.a dead) and Ross Ulbricht, a.k.a Dread Pirate Roberts have clearly got a number of things in common.

Even though Mr. Cazes has only had a couple of weeks of the media spotlight, we know an awful lot about him, mostly from people who did not know him.

One of the things that these men have in common are meaningless labels. These men are – according to the Alphabet Agencies’s and the Main Stream Media – “dark net drug lords”, “criminal mastermind’s”, “kingpin’s”.

You too can make up your own throwaway and meaningless tag for the sake of variety. Everyone is at it, so why not you too. The most recent Gothamesque label that I have read is that Cazes was a “deep web puppet master”.

It all reads like a particularly bad penny dreadful.

We do not have to worry about prejudicing the Cazes trial and we can dispense with using words like “allegedly”. Because he is dead.

That is the second thing that the two men have in common. Cazes won’t be getting a trial, and neither did Ulbricht. No, Ulbricht did not get a trial and do not try to tell me that he did.

Ulbricht got to make a defence – overnight after the Court disallowed the entirety of his prepared defence – in the impossibly biased and corralled environment that was imposed on him.

Guilty or innocent everyone is meant to be entitled to a fair trial. But, not really. Anymore. Trial by media is much better and such a useful tool when trying to get a defendant to cop a plea.

Like refusing Ulbricht a witness list prior to the trial on the basis that he might have them killed. And that on the basis that the original indictment contained a baseless “murder for hire” allegation which was never pursued. It’s called manufacturing your own reality.

Cazes is dead by way of apparent suicide in a Thai jail. Two things that never raise an eyebrow when they appear in the same sentence are “war crimes and Nazis” and “suicide and Thai jail”.

But what does raise my unwieldy eyebrows is that after the “incredibly sophisticated takedown” of Cazes, in the words of those who performed the “takedown” #self-praise, is that these same guys who are so adept at “incredibly sophisticated” activities could not stay in that groove and keep the guy alive long enough to have him extradited.

Probably best (for them) considering the judicial aftermath of the Ulbricht trial. Everyone likes a neat bundle. Especially when dubiously legal and borderline activities like hacking sovereign nations, or breaching international law are key tools of your “sophisticated” activities.

Just like people have been removed from the reality of the source of their food, their power, their light, now too it seems that one can run an eye-wateringly successful drug empire without ever needing to meet a drug dealer.

A laptop, bitcoins, a couple of offshore accounts, and growing up on the mean streets of a well funded, middle class upbringing full of loving parents, and college educations is all that one needs, apparently.

Also key to these successful enterprises is a manifesto. One must also have a manifesto. No need for a gun, or rudeness. Guns and rudeness are passé in the cyber drug world.

From law enforcements perspective it also helps, and without fear of contradiction or oxymoron, if your “incredibly sophisticated takedown” has an “incredibly unsophisticated” end. Such as this in the Cazes case …

“His assets were listed in a spreadsheet on his unencrypted laptop, which authorities, including the Royal Thai Police, the FBI and the DEA, found when they raided his primary residence in Thailand on July 5. They also discovered he was logged into the AlphaBay website as the site administrator and they were able to find passwords for AlphaBay servers, and then seized information and cryptocurrencies from those servers.”

Here are some striking similarities between these two “criminal masterminds” that do not sit well with the labels:

  1. Ulbricht – “hotmail” email address in the header files / welcome messages at the outset which personally identified him;
  2. Cazes – “gmail” email address in the header files / welcome messages at the outset which personally identified him;
  3. Ulbricht – “logged in an as the site administrator (Silk Road)” at the “Glen Park branch of the San Francisco Public Library” when arrested;
  4. Cazes – “logged in an as the site administrator (AlphaBay)” at home when arrested;
  5. Ulbricht – all the passwords for “Silk Road” on his laptop, unencrypted; (need to fact check this more)
  6. Cazes – all the passwords for “AlphaBay” on his laptop, unencrypted;
  7. Ulbricht – all the cryptocurrency details on his laptop;
  8. Cazes – all the cryptocurrency details on his laptop;

I guess the new batch of dark net Lex Luthor’s should add to the drug empire “creation myth” to-do list:

  1. Do not forget to remove my personal details from the header files;
  2. Do not forget to remove my personal details from the welcome messages;
  3. Encrypt my laptop, just a little bit;
  4. Look over my shoulder regularly, but most importantly
  5. Get Mom and Dad to pay for “Dark Net Mastermind for Middle Class White Kids” classes;

OR

The FBI, the CIA (illegally operating in domestic criminal cases (DPR)), and the DEA should vary the script that they provide to the media after these “incredibly sophisticated takedowns” with their very unsophisticated but incredibly convenient endings.

ENDS

Quick Reference Resource Introduction: WikiLeaks CIA Vault 7 Leaks

This series covers links to and analysis of each of the WikiLeaks CIA Vault 7 leaks including:

  1. The WikiLeaks pages;
  2. The associated CIA documents – Specification Documents, Systems Requirements, Installation Guides, User Guides, User Manuals, Test Plans, Tactics Documents, Slides and so on;
  3. Links to external references and sources including The Hacker News (Twitter @TheHackersNews), HackRead (Twitter @HackRead), and Pierluigi Paganini at “Security Affairs”; 
  4. Analysis by other third party publications of each leak;
  5. General comments, notes, and links added by AirGap Anonymity Collective as each leak and its previous deployment is more clearly understood;
  6. How these posts will evolve over time:
    1. The first post will be a generic description of each leak including 1-3 above; 
    2. Content will be added over time and date-stamped to include:
      1. Articles, external resources, and commentary that augment the knowledge base with respect to the basic content of each leak; 
      2. Advice on counter-measures / new research; 
      3. Analysis and examples of the subsequent deployment (in the original form or altered) of these hacking tools by cyber criminals, cyber terrorists, state actors, hackers, and others;
      4. Other information that does not emanate from generic or main stream media sources; 

These documents are marked with various security classifications. To understand what these classifications mean see Understanding NSA / INR Security Classifications on Intelligence Assessments;

Posts in this series to date:

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #14 – OutlawCountry;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #15 – BothanSpy & Gyrfalcon;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #16 – HighRise;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #17 – Imperial: Achilles, SeaPea, & Aeris

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #18 – UCL / Raytheon

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #19 – Dumbo

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #20 – CouchPotato

All third party content is explicitly acknowledged and content or imagery that has been altered or amended for ease of use is clearly marked.  

ENDS

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #14 – OutlawCountry

The OutlawCountry Linux hacking tool consists of a kernel module, which the CIA hackers load via shell access to the targeted system and create a hidden Netfilter table with an obscure name on a target Linux user. The OutlawCountry project allows the CIA hackers to redirect all outbound network traffic on the targeted computer to CIA controlled computer systems for exfiltrate and infiltrate data. *

Although the installation and persistence method of the OutlawCountry tool is not described in detail in the document, it seems like the CIA hackers rely on the available CIA exploits and backdoors to inject the kernel module into a targeted Linux operating system. However, there are some limitations to using the tool, such as the kernel modules only work with compatible Linux kernels. **

The 30th June 2017 WikiLeaks release overview:

“Today, June 30th 2017, WikiLeaks publishes documents from the OutlawCountry project of the CIA that targets computers running the Linux operating system. OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator. The installation and persistence method of the malware is not described in detail in the document; an operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system. OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain.

Two documents were also published alongside this release:

OutlawCountry v1.0 User Manual

OutlawCountry v1.0 Test Plan

Previous and subsequent Vault 7 WikiLeaks dumps #1 – #13 and #15 – #17 synopses are available on WikiLeaks and analysis of OutlawCountry at The Hacker News.

ENDS

Edited Image courtesy of The Hacker News – Twitter @TheHackersNews

* Content courtesy of The Hacker News – Twitter @TheHackersNews

** Content courtesy of The Hacker News – Twitter @TheHackersNews