Tag Archives: Linux

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #17 – Imperial: Achilles, SeaPea, & Aeris

These leaked documents relate to a CIA project codenamed ‘Imperial’, they include details of three CIA hacking tools and implants that have been designed to compromise computers running Apple Mac OS X and different Linux distributions. *

The three hacking tools are:

  1. Achilles – A tool to trojanize a legitimate OS X disk image (.dmg) installer;
  2. SeaPea – A Stealthy Rootkit For Mac OS X Systems;
  3. Aeris – An Automated Implant For Linux Systems.

The 27th July 2017 WikiLeaks release overview:

Today, July 27th 2017, WikiLeaks publishes documents from the Imperial project of the CIA. Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution. Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support – all with TLS encrypted communications with mutual authentication. It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants. SeaPea is an OS X Rootkit that provides stealth and tool launching capabilities. It hides files/directories, socket connections and/or processes. It runs on Mac OSX 10.6 and 10.7.

Vault7 Projects - Images - HackRead Imperial

Three documents were also published alongside this release:

Achilles — User Guide

The malware has been tested to be compatible with Intel processors running 10.6 OS.

SeaPea — User Guide

This hack was written in 2011. It is listed as “tested” on OS X 10.6/Snow Leopard and Mac OS X 10.7/Lion. The malware works by assigning processes to any one of the three categories namely: Normal, Elite, and Super-Elite. ** The commands in SeaPea are executed as Elite processes.

Aeris — Users Guide

The coding for the Aeris hacking tool was done in C and it affects the following systems:

Debian Linux 7 (i386), Debian Linux 7 (amd64), Debian Linux 7 (ARM), Red Hat Enterprise Linux 6 (i386), Red Hat Enterprise Linux 6 (amd64), Solaris 11 (i386), Solaris 11 (SPARC), FreeBSD 8 (i386), FreeBSD 8 (amd64), CentOS 5.3 (i386) and CentOS 5.7 (i386). ***

Previous and subsequent Vault 7 WikiLeaks dumps synopses are available on WikiLeaks and also see further analysis of Imperial at HackRead and The Hacker News.

ENDS

Header image courtesy of The Hacker News (Twitter @TheHackersNews) & in-article image courtesy of HackRead (Twitter @HackRead)

* Content courtesy of Pierluigi Paganini “Security Affairs” article  WikiLeaks published another batch of classified documents from the CIA Vault 7 leak, it includes details of the Imperial project

** References from content courtesy of HackRead – Twitter @HackRead

*** References from content courtesy of The Hacker News – Twitter @TheHackersNews

IBM Mainframe Ushers in New Era of Data Protection with Pervasive Encryption

Main take-outs in IBM Z Systems announcement:

  1. Pervasively encrypts data, all the time at any scale;
  2. Addresses global data breach epidemic;
  3. Helps automate compliance for EU General Data Protection Regulation, Federal Reserve and other emerging regulations;
  4. Encrypts data 18x faster than compared x86 platforms, at 5 percent of the cost (Source: “Pervasive Encryption: A New Paradigm for Protection,” K. R. E. Lind, Chief Systems Engineer, Solitaire Interglobal Ltd., June 30, 2017);
  5. Announces six IBM Cloud Blockchain data centers with IBM Z as encryption engine;
  6. Delivers groundbreaking Container Pricing for new solutions, such as instant payments.

The new data encryption capabilities are designed to address the global epidemic of data breaches, a major factor in the $8 trillion cybercrime impact on the global economy by 2022. Of the more than nine billion data records lost or stolen since 2013, only four percent were encrypted, making the vast majority of such data vulnerable to organized cybercrime rings, state actors and employees misusing access to sensitive information.

In the most significant re-positioning of mainframe technology in more than a decade, when the platform embraced Linux and open source software, IBM Z now dramatically expands the protective cryptographic umbrella of the world’s most advanced encryption technology and key protection. The system’s advanced cryptographic capability now extends across any data, networks, external devices or entire applications – such as the IBM Cloud Blockchain service – with no application changes and no impact on business service level agreements.

“The vast majority of stolen or leaked data today is in the open and easy to use because encryption has been very difficult and expensive to do at scale,” said Ross Mauri, General Manager, IBM Z. “We created a data protection engine for the cloud era to have a significant and immediate impact on global data security.”

ENDS

* From an article originally published on July 17 2017 on my Peerlyst blog

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #15 – BothanSpy & Gyrfalcon

BothanSpy is Microsoft Windows implant that targets the SSH client program Xshell and steals user credentials for all active SSH sessions. Gyrfalcon is a CentOS, Debian, RHEL, SUSE, and Ubuntu Linux Platform implant that targets the OpenSSH client not only steals user credentials of active SSH sessions but is also capable of collecting full or partial OpenSSH session traffic. Both implants save the collected information in an encrypted file for later exfiltration while the BothanSpy implant also implements exfiltration in real time to a CIA server thus leaving no footprint on the target system storage disk(s).

The 6th July 2017 WikiLeaks release overview:

“Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors. BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted [sic] file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine. Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

Three documents were also published alongside this release BothanSpy V1.0 Tool Documentation, Gyrfalcon V2.0 User’s Guide, and Gyrfalcon 1.0 User Manual.

Previous and subsequent Vault 7 WikiLeaks dumps #1 – #14 and #16 synopses are available on WikiLeaks and analysis of BothanSpy & Gyrfalcon at The Hacker News.

ENDS

Edited Image courtesy of The Hacker News – Twitter @TheHackersNews – Original Image edited to add extract from BothanSpy Tool Documentation Page 8 Screenshot 07/16/2017.

The CIA Dark Triad – Windows, macOS & Linux

According to the WikiLeaks Vault 7 dump the CIA deploys malware that includes the capability to hack, remotely view and/or clone devices running the Windows, macOS, and Linux operating systems.

This seems to suggest that the agency has no problem bypassing encryption, proxies, VPN and that Tor anonymity is a myth.

This does not mean that each of the point solutions offering a product under each of the above headings have been compromised. Rather it means that the OS level hack capability of the CIA – as seen on iOS and Android – means that they can gain full control of the device and render any point solution counter measures moot.

Therefore they subvert the platform which by extension means that anything that is running on the platform is subverted.

Tablet, laptop, smart-phone, AV device – it seems they are all fair game and in that case so is everything that you do on them.

You have been warned.

You are being watched.

ENDS