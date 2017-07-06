WikiLeaks Unveils CIA Implants That Steal SSH Credentials From Windows, Linux PCs (thehackernews.com) 37
An anonymous reader quotes a report from The Hacker News: WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors. Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network. Dubbed BothanSpy -- implant for Microsoft Windows Xshell client, and Gyrfalcon -- targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu. Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.
Illegal (Score:2, Informative)
I thought hacking was illegal under the computer crimes and abuse act?
Re:Illegal (Score:4)
For you yes it is illegal... For the government? Not so much...
Re: (Score:2)
For foreign governments, still very much so and according to the US government, a declaration of war, as they have stated repeatedly. According to the US Government's own big fat fucking mouths, when they hack your countries network, they have committed an act of war and should face the consequences. It would seem according to the US Governments own stance, that the US government should be publicly rebuked by the United Nations for committing acts of war all over the world, as defined by the US government.
So... (Score:3, Informative)
FTA
BothanSpy is installed as a Shellterm 3.x extension on the target machine and only works if Xshell is running on it with active sessions.
The user manual for Gyrfalcon v2.0 says that the implant is consist of "two compiled binaries that should be uploaded to the target platform along with the encrypted configuration file."
You need an attack vector to implant the malware.
Re: (Score:3)
Not only that, the Gyrfalcon User Manual (Page 6) says:
1. Extract the files from the 'upload' directory in the tarball (see section 2.3.1). Both the gyr64-linux
.gfconf) are needed. The /gyrfalcon/working/directory .. .gfconf gyr64-linux ./gyr64-linux /dev/null
(or gyr32-linux) and the encrypted config file (in the example,
executable can be renamed to suit the operation.
2. Upload the files to the target using whatever means available. Place them in the 'Working
Directory' (as specified in the configuration).
3. Change to the working directory and execute gyrfalcon as root:
$ su – (if necessary)
# cd
# ls -a
.
#
#
So, someone who has root access to a Linux system can get the SSH keys of any user of that system. Well, duh....
Re: (Score:2)
The key is in collecting them from the openssh client/key agent memory between the time you enter the passphrase to decrypt it, and the time it's eventually unloaded from RAM.
Re: (Score:2)
I'm now interested to see if enforcing SELinux prevents this.
Re: (Score:3)
You need an attack vector to implant the malware.
Did many Bothans die to bring you this information?
Again? (Score:2)
I think I remember seeing this very tool in the "NSA catalog" type thing from the big ES leak.
Just more proof; if it's on a computer, its insecure.
There's no security hole here (Score:3, Informative)
The manual says, "Upload the files to the target using whatever means available."
This is something an agent puts on an already-compromised machine.
Re: (Score:2)
Some times the code will be added on a usb device by hand and the data collected in the same way.
Other times down a network and the data collected in the same way.
It just depends on the nation, the ability to get site access and tell a good story about needing computer access.
The security hole is left to what is needed. The collection method works as expected.
At one point (Score:2)
This type of shit should stop! What else is hidden from public by those goons?
Do they have any decency? Probably not, needs a certain character to feel superior and protect the country....
Re: (Score:2)
C'mon... I'd be mad if our intelligence agencies didn't have this. This is just post-exploit kit. They'd be incompetent if they didn't have it. Even more incompetent than they were for letting this material escape the barn.
The thing to get mad about is sabotage of products to maintain backdoors, and keeping bugs secret.
Re: (Score:2)
What are you whining about? It's their job to be sneaky and surreptitiously collect data.
You think they should announce to the world all the vulnerabilities they've found so those means can be closed? If those attack vectors are on the machine of a foreign government they provide invaluable ways of collecting data which don't involve putting someone's life at risk.
What do you think a spy agency does? Tell their target, "Hey, we're going to put this software on your machine so we can listen in and record ev
Windows, Linux... (Score:2)
But NOT macOS.
Tee Hee.
Re: (Score:1)
Nope. Apple installed their own implants except they have round edges.
Re: (Score:2)
It's just a python script. It could probably be easily tweaked to run on MacOS.
Re: (Score:2)
But NOT macOS.
Tee Hee.
They're still arguing over which shade of black their hats should be.
sort of like exposing the bows and arrows (Score:2)
It's Python! (Score:2)
I knew Python would eventually slither in and undermine my security with it's whitespace of doom!
The POSIX Shell Script Master Race prevails again!
;)
Um ... (Score:2)
Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network.
[ The restraint exhibited in explaining SSH, on a tech site, but *not* "cryptographic" is amazing.
/sarcasm ]