Tag Archives: Vault 7

Security News For The Week Ending February 28, 2020

Russia Behind Cyberattacks on Country of Georgia Last Year

The State Department and the UK say that Russia was behind the attack on over ten thousand websites in the Country of Georgia last year.

They also formally attributed Sandworm (AKA Voodoo Bear, Telebots and BlackEnergy) to Russia’s GRU Unit 74455. Sandworm is the group responsible for the attacks against Ukraine’s power grid in 2015 and 2016 as well as NotPetya and other attacks. Not a nice bunch, but highly skilled. Andy Greenberg’s book, Sandworm, tells a scary story about these guys.

This is an interesting announcement from the State Department given the general position of the White House regarding Russian hacking. Here is the State Department’s press release.

Google to Restrict Android App Access to Location Tracking

Google is changing the Google Play Store policy for apps accessing your location when they are running in the background in response to user concerns.

The “user” is likely the folks running GDPR and the concern is the potential fine of 4% of Google’s revenue (AKA $6.4 billion).

They are reviewing all apps in the Play Store to see if the really need background access to your location or whether the user experience is just fine without them collecting and selling your location.

New apps will have to comply with this new policy by August 3 and existing apps will have until November 3 to comply.

In Android 11 you will be able to give an app ONE TIME permission to access your location data. When the app moves to the background, it will lose permission and will have to re-request it if it wants your location again.

This is actually pretty cool, but GDPR went into effect almost two years ago and they are just doing this now? Could it have something to do with a EU investigation of their use of location data? Probably just a coincidence. Source: PC Magazine

Accused CIA Vault 7 Leaker Goes To Trial

Accused CIA Vault 7 leaker Joshua Schulte’s trial for leaking top secret documents to Wikileaks started earlier this month. Schulte is accused of leaking top secret programs that the CIA used to hack opponents, causing serious embarrassment for their horrible security, allowing those tools to get into the hands of hackers and allowing our enemies to know how we hack them. It also cost the CIA a ton of money because they had to create a whole bunch of new programs that exploited different bugs that that had not disclosed to vendors to fix. Apparently Joshua is a bit of a challenge to work with and manage. Not only was he “a pain in the ass” but he also was into kiddie porn. He will be tried on those charges separately. Schulte’s lawyers say the government failed to turn over evidence that there might have been another leaker and wants the court to declare a mistrial. WOW! Read the details here.

Microsoft Trying to Do Away With Windows “Local” Accounts

For those of you who have been long time Windows users, you know that you had a userid to log on to the computer and then, possibly, if you want, another userid and password to logon to cloud services.

Like Google, Microsoft wants as much information about you as it can possibly collect. They also want you to use all of Microsoft’s online services, all of which are tied to your Microsoft login and not your local Windows login.

Microsoft’s answer? Make it very difficult for a user to logon to his or her computer with a local login. In fact, as of the most recent update to Windows 10, the only way to create a local, non-Microsoft, login is to disconnect your computer from the Internet when you first install it.

After all, they know that you DO want them to snoop on everything that you do. Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

CIA Spies on FBI, DHS and Other Friends

In the ongoing Wikileaks Vault 7 series of leaks, there is a new leak called ExpressLane.

According to the documents released by Wikileaks, the CIA offers a partnership with other law enforcement and government agencies in which those partners can share biometric data such as fingerprints with the CIA.

The CIA does this by offering a predefined hardware, operating system and software to its liaison partners.  It also supports these systems.

Since the program is voluntary, the CIA likely did not get all of the biometric data that each of the partner agencies had collected, so they decided to get creative.

Since they “support” these systems for their friends, they send a technician to update the system via flash drive.  Only that update also installs the ExpressLane backdoor.

ExpressLane has two parts – the first part creates a hidden partition on the target system where the biometric data is captured.  This partition is used as a holding pen for the data that they want to steal.  The data is encrypted and compressed before being stored in the hidden partition.

The second part takes the data from the hidden partition and steals it by copying it to the flash drive the next time the technician comes to “maintain” the system.

This is only one of 21 disclosures that WikiLeaks has made in the Vault 7 series – likely with more to come.

If this turns out to be true and I suspect that it probably is true, then partners – especially those in other countries – are likely going to be less cooperative with the CIA and probably all other federal government law enforcement and justice agencies.   In that sense, WikiLeaks is doing significant damage to the U.S. Government.

One might think that other governments should have assumed that the CIA is not trustworthy (after all, what the CIA was doing is likely NO DIFFERENT from what other countries likely do), but I am not sure that other U.S. Government agencies would have made that same assumption – until now.

For the CIA, this is yet another damaging blow.  Probably not to their prestige (other than the fact that all of this stuff has become public). but rather to their operational ability as all of these tools become public.

SOME of the other leaks include:

  • DUMBO – a tool to hack webcams and microphones
  • IMPERIAL – a series of tools to hack Mac, Linux and Unix systems
  • HIGHRISE – a tool to steal information from phones and exfiltrate it via SMS messages
  • ELSA – A tool to harvest location information data of Windows laptops
  • CHERRY BLOSSOM – A tool to monitor Internet activity on targeted systems by exploiting bugs in Wi-Fi devices
  • WEEPING ANGEL – a tool to transform smart TVs into covert listening devices

And, many, many others.

What we don’t know yet is how many MORE leaked documents WikiLeaks will publish and where they are getting them from.  Two likely candidates are rogue employees and nation state actors like Russia and China.  The CIA has not, that I am aware of, given any indication of the source of the leaks, although I am sure they are trying hard to figure it out and may know already.

In my opinion, rogue employees seem less likely, but who knows.  What is VERY SCARY is if the Russians or Chinese have infiltrated the CIA and are still there.  I am pretty comfortable that the CIA is likely more concerned about this possibility than anyone and are probably working very hard to figure out if that is in fact what happened.

Of course, they may never tell us what they find unless they decide to prosecute someone for espionage.

Information for this post came from The Hacker News.

 

 Facebooktwitterredditlinkedinmailby feather

Wikileaks Releases Mac, Linux and Unix Malware

In the continuing saga of Vault 7 – the leaking of CIA hacking tools, Wikileaks made Mac, Linux and Unix users feel welcome.  Instead of leaking Windows and Android malicious code, they leaked Mac, Linux and Unix tools instead.  I guess they are equal opportunity leakers.

In this case they just leaked the manuals so that people could understand what the tools do but not be able to do it themselves.

Tool number one is named Achilles.  Achilles is an interesting tool.  Lets say that you wanted to install a piece of malware but you didn’t want to be detected.  Achilles allows you to “bind” a payload executable to a Mac DMG files.  When the user runs the DMG file, it installs the appropriate software but adds a little extra – some malware of the CIA’s choosing.  But then – and this is the interesting part – it then unbinds the malware payload from the DMG file so that the next time it is used to install the product, all that user gets is the actual software.  Achilles generates what is called a one time payload.  This dramatically reduces the probability of being detected.  What this does not do is give you a way of getting the malicious package onto the target system.  That has to be done using a different tool.

Tool number two is called Aeris and that is for Linux or POSIX systems.  It runs on a variety of Linux or POSIX systems including Debian, Red Hat, Solaris, FreeBSD and CentOS.  This particular part of the hacking ecosystem is designed to exfiltrate data from the target system over an encrypted channel.  Collecting the data is left for some other tool in the toolbox.

Tool number three is called SeaPea and targets Mac OS X systems.  It is a rootkit, meaning that it is likely undetectable by normal anti-malware software and it persists across reboots.  It can also hide files, open network connections and launch other malicious code.  It dates back several years and was designed to work with OS X Snow Leopard and Lion.  That, of course, does not mean that it hasn’t been updated work with newer versions but rather “dates” when this documentation was stolen.

What this means is that, not surprisingly, the CIA wants to be able to hack any operating system – they are not counting on users running any OS in particular.

While the CIA folks are good, they are likely on par with other spy organizations – sometimes better than some and sometimes not as good as others.  We should assume that the other folks, both good and bad – Russia, China, Ukraine as well as Germany, England and Israel, for example – have similar abilities.

Given the continuing dribbling of software and documentation over months, it seems likely that Wikileaks is not done yet and will likely leak more.  What we don’t know is how much of the CIA’s hacking arsenal this is.  Is it 5 percent or 50 percent?  25 percent or 75 percent.  We don’t know and likely never will know.  My GUESS (and hope) is that it is on the lower range of possible percentages, but who knows.

What this does mean is that there is likely a huge number of security holes in a whole range of operating systems that have not been patched – ones that both the good guys and the bad guys are exploiting.  While I am not so concerned about the good guys, I am VERY concerned about the bad guys.

Information for this post came from Bleeping Computer.Facebooktwitterredditlinkedinmailby feather

How the CIA – Or Others – Can Hack Your Internet Router

When was the last time you patched your Internet router?  Probably never.  That is what the CIA is counting on.  As well as foreign governments and just plain hackers.

But when it comes to the CIA, they are probably not interested in you.  That may not be the case when it comes to the other categories of folks mentioned above.  Hackers want valuables;  foreign governments may want your intellectual property.

In this case Wikileaks continued its steady flow of stolen CIA documents called Vault 7.  The documents talk about vulnerabilities in certain brands of routers and and WiFi access points.

Apparently the CIA likes hacking routers because it is highly unlikely that you would detect it since there are no indications that it has been compromised.  After all, other than a couple of blinking lights, most routers have no user interface at all.

According to the leak, the CIA tool is called Claymore and it figures out what model router you have and then runs a suite of attacks against it – tailored to that router.  If it succeeds, it now owns your router and can make it do whatever they want.

For example, once the CIA hacks the router it can install its own software which might route all of your traffic through one of their monitoring points.  If they are replacing the software in the router, they could do anything they want.

I hear you – I don’t have anything the CIA wants.

That could be true.  Likely it is.

But do you have anything that an average-bear hacker might be interested in?  Does your business?

While the CIA folks are sharp, this attack ain’t rocket science.  In fact it is sort of junior high.  The particular tools that they are using might be sophisticated, but the are leveraging the fact that most people do not patch their routers.  Ever!

So what should you do?

  1. Change the default password.  PLEASE!  That is the first thing that hackers are going to try and do.
  2. Find out how to upgrade your router and do that monthly, if not more often.
  3. Better yet, pick a router that automatically looks for and installs its patches.  Then you don’t have to deal with it.

While this is not going to stop everyone, at least the hacker will have to be out of elementary school to break in.

Information for this post came from Wired.Facebooktwitterredditlinkedinmailby feather

US Cyber Command Spends 90% on Offensive Cyber

Earlier this month the folks at Cisco were sent into a frenzy when Wikileaks disclosed Cisco exploits in their Vault 7 CIA tool data dump.

Wikileaks disclosed that the CIA had been hacking Cisco Internet switches for over a year to eavesdrop on users, but didn’t disclose how.  Wikileaks and a number of the tech vendors are at odds regarding revealing the details of the hacks because of conditions Wikileaks is imposing prior to giving the manufacturers the details.

Given the resources at John Chambers disposal, Cisco reassigned teams of engineers, working around the clock for days first trying to figure out how the CIA did it – without any help from Wikileaks.  Then they had to craft a warning to customers regarding the 300 products affected.  Finally, they had to come up with fixes, test them and get them into the distribution channel.

Due to the way the government (in the form of the NSA and CIA particularly) prioritize cyber risk, offensive cyber is much more important than defensive cyber (more about this later).

So even though the CIA had known about these bugs for at least a year, they prioritized using the bug against their surveillance targets over protecting U.S. citizens.

This has been the argument since the creation of USCYBERCOM.  USCYBERCOM is headed by the same person as the NSA –  Admiral Mike Rogers.

The problem is that the NSA’s mission is to hack into targets of interest and Cybercom’s mission is to protect the U.S.  In case of a ‘conflict of interest’, who wins?

The original idea was to help USCYBERCOM get off the ground by being able to leverage NSA’s considerable cyber expertise, but for the last year or two, there have been calls to split the two (see Washington Post article here.)  In fact, there were conversations about President Obama separating the two toward the end of his term.  This idea was endorsed by both Defense Secretary Ash Carter and Director of National Intelligence James Clapper.  President Obama signed a bill bars the splitting until the Joint Chiefs of Staff certify that splitting it would not be harmful.  We have no idea what President Trump thinks about the subject.

Laura Pfeiffer, a former senior director of the White House situation room suggested that now that our adversaries’ cyber capabilities were catching up to ours, we might ought to think about reconsidering our strategy.

According to Reuters, 90 percent of all spending on cyber across the federal government is dedicated to offensive cyber.

President Trump is proposing to spend $1.5 billion on defensive cyber inside DHS.  Compare that to $50 billion for the U.S. Intelligence budget in 2013 – about 3 percent.

Departing NSA Deputy Director Rick Ledgett confirmed that 90% number and said that it needed to be adjusted.

In a recent NSA reorg, IAD, the division of the NSA responsible for defensive cyber was buried inside a new operations division, meaning even less attention may be given to defense.

In early 2014 President Obama issued a directive that said that the NSA had to disclose bugs unless they have clear national security or law enforcement value, in which case they can be kept secret.  Almost any serious cyber bug could be said to have clear national security or law enforcement value.

In any case, it is possible that our adversaries were also aware of and using the Cisco bugs against us and our allies.  Such is the conflict the USCYBERCOM faces every day – use the bug or disclose it?  Are we (USCYBERCOM) the only ones who know about the bug or do our adversaries know also.

Whether we think what Wikileaks did was right or wrong, it is clear that a number of potentially serious bugs will be patched as a result.

From the CIA’s standpoint, it is possible that even if our adversaries knew about some of the same bugs that they knew about, our ability to exploit them or the value in keeping the bugs in place and continuing to collect data for as long as possible might outweigh the disadvantage that our enemies were using the same bugs against us.

This is clearly a mess and I am not confident that politicians understand the problem well enough to actually fix it, but we can hope.

 

Information for this post came fro Reuters.Facebooktwitterredditlinkedinmailby feather

Wikileaks Publishes CIA Hacking Tools – Round One

It seems like the spy-guys (or is it spy-people) can’t seem to catch a break.  First it was Snowden; more recently it was Martin – both Booz Allen contractors at the NSA.  Now it is the CIA.  Wikileaks published thousands of documents, which appear to be real, describing CIA hacking tools.  This includes, supposedly, at least a dozen ‘zero-day’ attacks for a variety of platforms including iPhone, Android and Windows.

Assuming this is all real, this will definitely make the CIA’s job harder as vendors patch holes that the CIA has known about for an unknown amount of time – maybe years – and decided to use the attacks rather than telling the vendors and letting them fix the bugs.  This has been the argument about having U.S. Cyber Command being responsible for both hacking and defending us.  Under President Obama there was a protocol to follow that formalized the process of whether they revealed a bug or kept it secret.  That protocol did not stop them from keeping secrets as today’s leaks prove.  That is part of what Wikileaks wants to reveal.  Some people will consider that good; others will consider it bad.

The first set of documents, which Wikileaks calls Vault 7, contains about 8,700 documents of what they call Year Zero.  The documents are purported to come from inside CIA Langley.

This series of documents follows a preview disclosure last month describing the CIA’s efforts to target French political parties and candidates during the 2012 elections – which sounds very similar to what we are accusing Russia of doing here, last year.  What the CIA wanted to do with the information was not disclosed.

Apparently, the CIA’s hacker division called the Center for Cyber Intelligence (CCI), had over 5,000 users and had developed over a thousand hacking tools.

For what it is worth, Wikileaks says that their source wants to start a debate about whether the CIA has exceeded its authority and whether there is sufficient oversight. Clearly if the CIA develops a tool and the bad guys figure it out, that tool is out of control and there may not be a way to get the genie back in the bottle.

Wikileaks says that it has redacted some information and decided not to release the actual tools because of the risk that represents.

The CIA’s Engineering Development Group (EDG), which is part of CCI, is part of the Directorate for Digital Innovation, one of five directorates inside the CIA.

One of the tools that was disclosed is a tool to infect smart TVs so that they become covert eavesdropping devices, even when supposedly powered off.

Another project was to take over control of cars to perform covert and likely totally undetectable assassinations.  There have been rumors about this in the past when there were some explainable car crashes that killed high profile individuals.

While the iPhone only represents about 15% of the global smart phone market, apparently the CIA has a whole branch dedicated to hacking them.  This is likely due to the status symbol that the iPhone represents in government circles.

The CIA also has techniques to bypass the encryption of apps like Signal, Whatsapp, Wiebo, Confide and others.  They do this not by cracking the encryption, but likely by covertly installing eavesdropping software on the phones to capture the data before it is encrypted or after it is decrypted.

After Snowden revealed that the intelligence community was hoarding zero day vulnerabilities, the Obama administration agreed to a process to decide which vulnerabilities to disclose, but, according to Wikileaks, the CIA did not follow those protocols and continued to hoard zero day vulnerabilities.

There is a huge amount of information released and reporters will likely be reviewing it for weeks, but Wikileaks says that there is much more to come.  How much and when is not clear.

To me, what is most interesting is not that the CIA is doing this – everyone is doing this – but rather, even after Manning, after Snowden, and after Martin, just to name a few massive leaks, the intelligence community doesn’t seem to be able to stop the leaks.

What President Trump will do is not clear.

What Snowden said that he did and I assume what Wikileaks is doing also, is to distribute encrypted copies of unredacted documents to hundreds of media sources with the system set up to automatically distribute the keys if something bad happens to Wikileaks or its embattled founder, Julian Assange.  I don’t know if this is true, but it is that only thing that makes sense to explain why Assange is still alive and Wikileaks is still online.  *IF* it is known to the intelligence community that Wikileaks is in possession of some sort of nuclear option, they are likely to tread much more lightly around Wikileaks.  Given what they have already published, this is certainly not out of the question.

Information for this post came from a Wikileaks Press Release.Facebooktwitterredditlinkedinmailby feather