WikiLeaks: How does the CIA steal SSH certifications?

WikiLeaks today published the 15 batch of documents in the Vault 7 series. This time it describes two CIA implants that allow the intelligence service to monitor and intercept SSH (Secure Shell) certifications from targeted Windows and Linux operating systems using different attack modes.

Secure Shell or SSH is a cryptographic network protocol used to remotely connect machines and servers safely to an insecure network.WikiLeaks

The the first implant is called BothanSpy and is addressed to Windows operating systems, while the latter is called Gyrfalcon and targets OpenSSH in various Linux distributions such as CentOS, Debian, RHEL, openSUSE and Ubuntu.

Both implants steal user credentials for all active SSH sessions and then send them to a CIA-controlled server.

BothanSpy

BothanSpy is installed as a Shellterm extension 3.x on the target machine and only works if Xshell runs and only on active sessions.

Xshell is a powerful terminal emulator that supports SSH, SFTP, TELNET, RLOGIN and SERIAL protocols, providing port forwarding dynamics, custom key mapping, and VB scripting.

"To use BothanSpy on targets running an x64 version of Windows, the loader used must support Wow64 injection," says the CIA User Guide published by WikiLeaks.

"Xshell only comes as x86 binary, so BothanSpy has been compiled as x86. Shellterm 3.0+ supports Wow64 injection and is highly recommended. ”

Gyrfalcon

Gyrfalcon targets Linux systems (32 or 64 bit kernel) using a JQC / KitV rootkit developed by the CIA for continuous access.

Gyrfalcon is able to collect full or partial traffic from OpenSSH links and stores the stolen information in an encrypted file for later processing.

"The tool works in an automated way, is pre-configured, runs on the remote host, and lets it run," says the Gyrfalcon v1.0 user manual.

“Sometimes, the operator comes back and instructs the gyrfalcon to clarify what it has collected on the disk. The operator retrieves the collection file, decrypts and analyzes them that have been collected.”

The user manual published by WikiLeaks for Gyrfalcon v2.0 states that the implant consists of "two compiled binaries that must be uploaded to the destination platform along with an encrypted configuration file".

"Gyrfalcon does not provide communication services between the local computer and the operator. The operator will have to use a third-party application to upload these three files to the target.

Please be reminded that Wikileaks released documents in the Vault 7 series from 7 March, exposing more and more Coca-Cola Hacker tools.

"Year Zero"CIA exploits popular hardware and software.
"Weeping Angel"The spying tool that the service uses to penetrate smart TVs, turning them into disguised microphones.
"Dark Matter"Exploits targeting iPhones and Mac.
"Marble" The of a secret anti-forensic . It is essentially an obfuscator used by the CIA to hide the real source of malware.
"Grasshopper"A framework that allows the information service to easily create custom malicious software to violate Microsoft Windows and bypass any virus protection.

"Archimedes"- a MitM attack tool allegedly created by the CIA for targeting computers within a local area network (LAN).
Scribbles" one which is designed to add 'web beacons' to classified documents to allow intelligence to monitor leaks.
Athena:is designed to fully acquire full control over infected Windows computers, allowing the CIA to perform many functions on the target machine, such as deleting data or installing malicious software, data theft, and sending them to CIA servers.
CherryBlossom a tool that tracks a target's web activity, redirects your browser, tracks email addresses and phone numbers, and more .
Brutal Kangaroo: A tool that can be used to infect air-gapped computers with malware.
ELSA Windows malware used by the CIA to identify the location of a particular user using his computer's Wi-Fi.
OutlawCountry: Linux malware that the CIA uses to determine the location of a particular user using its computer's Wi-Fi.
BothanSpy - Gyrfalcon: for SSH authentication theft from Windows and Linux respectively

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).