Tag Archives: Vault 7

Security News for the Week Ending June 17, 2022

Ransomware Morphs Again

We know that ransomware has gone through a lot of iterations over the last couple of years as hackers try to maximize their revenue. The BlackCat group is now creating public websites for each victim company and has indexed the data to make it easy to search. I guess this means that it will be harder for companies that get hacked to hide what data was stolen. In one of their sites, you can select between employee data and customer data as the first filter and then search on that subset. Credit: Brian Krebs

NSA Quietly Appoints General Counsel After Two Years

You may remember that in the final, sort of weird, final days of the last President’s administration, the ex-President attempted to force the NSA to accept an unqualified political hack in the role of GC – a person who had not even worked inside the intelligence community, a process known as burrowing. Burrowing converts a political appointee into a career civil servant. Gen. Nakasone was ordered, on the last day of the ex-President’s administration to swear the guy in. That same day, the General put the new GC on administrative leave pending an inquiry about some security incidents. After several months in limbo, he resigned. He now is a lawyer at Rumble, a business partner of Truth Social. See a pattern? Anyway, April Falcon Doss, who seems to have impressive legal creds, was finally, quietly, sworn in as GC last month. Credit: The Record

Cyberattack – One and Done? Nope; Not Likely

According to research by Cymulate, 39% of companies were hit by cybercrime over the last year. Of those, TWO THIRDS were hit more than once. Also, of those who were hacked once, 10% were hacked ten times. That doesn’t give me a lot of warm fuzzies. Credit: ZDNet

Joshua Schulte, Former CIA Coder, Represents Himself in Second Espionage Trial

Joshua Schulte, is a former software engineer who worked for the CIA. He is accused of the largest, most damaging leak the CIA ever had. In his first trial, the jury hung on espionage charges. Now the second trial is beginning and he is representing himself. I recall a saying about a lawyer who represents himself has a fool for a client. Even though he is not a lawyer, the saying applies. He says he was framed. Prosecutors say he is guilty. Stay tuned for details. Credit: Security Week

Indian Police Planted False Evidence on Activist’s Computers to Arrest Them

Police in India were caught using hacking tools to plant evidence on people’s computers and then arresting them for the staged crime. The people being cyber attacked are not terrorists, but rather journalists and activists – in other words, people who annoy the police. With the help of SentinelOne, the hacking-by-police incidents have been publicly exposed. Credit: Wired

Your Cybersecurity is Likely Better Than the CIA’s Was. Or is?

The Vault 7 leak, in which Wikileaks posted information about a large number of CIA hacking tools was possibly the worst national security compromise the Agency has ever seen.

Not only did it reveal our techniques for hacking foreign systems but the hackers repurposed those tools and hacked American and other friendly companies and governments.

The CIA had to create a whole new series of tools that used different exploits, assuming that is even completely possible.

While the Vault 7 leaks did not distribute source code, it did disclose Tactics, Techniques and Procedures (TTPs). This gives the other side all kinds of clues into our thinking, what software we think is vulnerable and our approach to hacking.

Joshua Schulte was arrested and tried for the leak but was only convicted on a few of the lesser charges. Why?

Because the CIA had horrible internal security practices.

An internal CIA report reviewing the breach said that bad cyber practices led to the disclosure of at least 180 GB of hacking tools and documentation.

The report said that the Agency shared administrative passwords and had no control of removable storage, for example.

While if you do that, it is a problem, if the CIA does that, well, it is a disaster.

The Intelligence Community has a historical love, maybe obsession is a better word, for OFFENSIVE security (hacking the bad guys) and not much interest in DEFENSIVE security.

A redacted, but still damning, version of the report has been released.

Following Tom Lehrer’s song of Wernher Von Braun’s thoughts about rockets (“Once the rockets are up, who cares where they come down”), the report says:

“Most of our sensitive cyber-weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely.

Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”

The report also says that there were deficiencies in the Agency’s procedures for detecting rogue insiders, which allowed the insider to take all of the data out and give it to Wikileaks.

According to Senator Wyden, who released the redacted report, years later the Agency’s security is not a whole lot better.

So maybe your security is not so bad. At least when your stuff gets compromised, you aren’t helping the Russians and Chinese.

That is probably not the metric that you want to use for your security program.

And why did Schulte’s trial end in a mistrial for many of the charges? Because the CIA’s security was so bad that they could not convince the jury definitively that Schulte took the information.

Credit: The Register

Security News For The Week Ending February 28, 2020

Russia Behind Cyberattacks on Country of Georgia Last Year

The State Department and the UK say that Russia was behind the attack on over ten thousand websites in the Country of Georgia last year.

They also formally attributed Sandworm (AKA Voodoo Bear, Telebots and BlackEnergy) to Russia’s GRU Unit 74455. Sandworm is the group responsible for the attacks against Ukraine’s power grid in 2015 and 2016 as well as NotPetya and other attacks. Not a nice bunch, but highly skilled. Andy Greenberg’s book, Sandworm, tells a scary story about these guys.

This is an interesting announcement from the State Department given the general position of the White House regarding Russian hacking. Here is the State Department’s press release.

Google to Restrict Android App Access to Location Tracking

Google is changing the Google Play Store policy for apps accessing your location when they are running in the background in response to user concerns.

The “user” is likely the folks running GDPR and the concern is the potential fine of 4% of Google’s revenue (AKA $6.4 billion).

They are reviewing all apps in the Play Store to see if the really need background access to your location or whether the user experience is just fine without them collecting and selling your location.

New apps will have to comply with this new policy by August 3 and existing apps will have until November 3 to comply.

In Android 11 you will be able to give an app ONE TIME permission to access your location data. When the app moves to the background, it will lose permission and will have to re-request it if it wants your location again.

This is actually pretty cool, but GDPR went into effect almost two years ago and they are just doing this now? Could it have something to do with a EU investigation of their use of location data? Probably just a coincidence. Source: PC Magazine

Accused CIA Vault 7 Leaker Goes To Trial

Accused CIA Vault 7 leaker Joshua Schulte’s trial for leaking top secret documents to Wikileaks started earlier this month. Schulte is accused of leaking top secret programs that the CIA used to hack opponents, causing serious embarrassment for their horrible security, allowing those tools to get into the hands of hackers and allowing our enemies to know how we hack them. It also cost the CIA a ton of money because they had to create a whole bunch of new programs that exploited different bugs that that had not disclosed to vendors to fix. Apparently Joshua is a bit of a challenge to work with and manage. Not only was he “a pain in the ass” but he also was into kiddie porn. He will be tried on those charges separately. Schulte’s lawyers say the government failed to turn over evidence that there might have been another leaker and wants the court to declare a mistrial. WOW! Read the details here.

Microsoft Trying to Do Away With Windows “Local” Accounts

For those of you who have been long time Windows users, you know that you had a userid to log on to the computer and then, possibly, if you want, another userid and password to logon to cloud services.

Like Google, Microsoft wants as much information about you as it can possibly collect. They also want you to use all of Microsoft’s online services, all of which are tied to your Microsoft login and not your local Windows login.

Microsoft’s answer? Make it very difficult for a user to logon to his or her computer with a local login. In fact, as of the most recent update to Windows 10, the only way to create a local, non-Microsoft, login is to disconnect your computer from the Internet when you first install it.

After all, they know that you DO want them to snoop on everything that you do. Source: Bleeping Computer

CIA Spies on FBI, DHS and Other Friends

In the ongoing Wikileaks Vault 7 series of leaks, there is a new leak called ExpressLane.

According to the documents released by Wikileaks, the CIA offers a partnership with other law enforcement and government agencies in which those partners can share biometric data such as fingerprints with the CIA.

The CIA does this by offering a predefined hardware, operating system and software to its liaison partners.  It also supports these systems.

Since the program is voluntary, the CIA likely did not get all of the biometric data that each of the partner agencies had collected, so they decided to get creative.

Since they “support” these systems for their friends, they send a technician to update the system via flash drive.  Only that update also installs the ExpressLane backdoor.

ExpressLane has two parts – the first part creates a hidden partition on the target system where the biometric data is captured.  This partition is used as a holding pen for the data that they want to steal.  The data is encrypted and compressed before being stored in the hidden partition.

The second part takes the data from the hidden partition and steals it by copying it to the flash drive the next time the technician comes to “maintain” the system.

This is only one of 21 disclosures that WikiLeaks has made in the Vault 7 series – likely with more to come.

If this turns out to be true and I suspect that it probably is true, then partners – especially those in other countries – are likely going to be less cooperative with the CIA and probably all other federal government law enforcement and justice agencies.   In that sense, WikiLeaks is doing significant damage to the U.S. Government.

One might think that other governments should have assumed that the CIA is not trustworthy (after all, what the CIA was doing is likely NO DIFFERENT from what other countries likely do), but I am not sure that other U.S. Government agencies would have made that same assumption – until now.

For the CIA, this is yet another damaging blow.  Probably not to their prestige (other than the fact that all of this stuff has become public). but rather to their operational ability as all of these tools become public.

SOME of the other leaks include:

  • DUMBO – a tool to hack webcams and microphones
  • IMPERIAL – a series of tools to hack Mac, Linux and Unix systems
  • HIGHRISE – a tool to steal information from phones and exfiltrate it via SMS messages
  • ELSA – A tool to harvest location information data of Windows laptops
  • CHERRY BLOSSOM – A tool to monitor Internet activity on targeted systems by exploiting bugs in Wi-Fi devices
  • WEEPING ANGEL – a tool to transform smart TVs into covert listening devices

And, many, many others.

What we don’t know yet is how many MORE leaked documents WikiLeaks will publish and where they are getting them from.  Two likely candidates are rogue employees and nation state actors like Russia and China.  The CIA has not, that I am aware of, given any indication of the source of the leaks, although I am sure they are trying hard to figure it out and may know already.

In my opinion, rogue employees seem less likely, but who knows.  What is VERY SCARY is if the Russians or Chinese have infiltrated the CIA and are still there.  I am pretty comfortable that the CIA is likely more concerned about this possibility than anyone and are probably working very hard to figure out if that is in fact what happened.

Of course, they may never tell us what they find unless they decide to prosecute someone for espionage.

Information for this post came from The Hacker News.



Wikileaks Releases Mac, Linux and Unix Malware

In the continuing saga of Vault 7 – the leaking of CIA hacking tools, Wikileaks made Mac, Linux and Unix users feel welcome.  Instead of leaking Windows and Android malicious code, they leaked Mac, Linux and Unix tools instead.  I guess they are equal opportunity leakers.

In this case they just leaked the manuals so that people could understand what the tools do but not be able to do it themselves.

Tool number one is named Achilles.  Achilles is an interesting tool.  Lets say that you wanted to install a piece of malware but you didn’t want to be detected.  Achilles allows you to “bind” a payload executable to a Mac DMG files.  When the user runs the DMG file, it installs the appropriate software but adds a little extra – some malware of the CIA’s choosing.  But then – and this is the interesting part – it then unbinds the malware payload from the DMG file so that the next time it is used to install the product, all that user gets is the actual software.  Achilles generates what is called a one time payload.  This dramatically reduces the probability of being detected.  What this does not do is give you a way of getting the malicious package onto the target system.  That has to be done using a different tool.

Tool number two is called Aeris and that is for Linux or POSIX systems.  It runs on a variety of Linux or POSIX systems including Debian, Red Hat, Solaris, FreeBSD and CentOS.  This particular part of the hacking ecosystem is designed to exfiltrate data from the target system over an encrypted channel.  Collecting the data is left for some other tool in the toolbox.

Tool number three is called SeaPea and targets Mac OS X systems.  It is a rootkit, meaning that it is likely undetectable by normal anti-malware software and it persists across reboots.  It can also hide files, open network connections and launch other malicious code.  It dates back several years and was designed to work with OS X Snow Leopard and Lion.  That, of course, does not mean that it hasn’t been updated work with newer versions but rather “dates” when this documentation was stolen.

What this means is that, not surprisingly, the CIA wants to be able to hack any operating system – they are not counting on users running any OS in particular.

While the CIA folks are good, they are likely on par with other spy organizations – sometimes better than some and sometimes not as good as others.  We should assume that the other folks, both good and bad – Russia, China, Ukraine as well as Germany, England and Israel, for example – have similar abilities.

Given the continuing dribbling of software and documentation over months, it seems likely that Wikileaks is not done yet and will likely leak more.  What we don’t know is how much of the CIA’s hacking arsenal this is.  Is it 5 percent or 50 percent?  25 percent or 75 percent.  We don’t know and likely never will know.  My GUESS (and hope) is that it is on the lower range of possible percentages, but who knows.

What this does mean is that there is likely a huge number of security holes in a whole range of operating systems that have not been patched – ones that both the good guys and the bad guys are exploiting.  While I am not so concerned about the good guys, I am VERY concerned about the bad guys.

Information for this post came from Bleeping Computer.

How the CIA – Or Others – Can Hack Your Internet Router

When was the last time you patched your Internet router?  Probably never.  That is what the CIA is counting on.  As well as foreign governments and just plain hackers.

But when it comes to the CIA, they are probably not interested in you.  That may not be the case when it comes to the other categories of folks mentioned above.  Hackers want valuables;  foreign governments may want your intellectual property.

In this case Wikileaks continued its steady flow of stolen CIA documents called Vault 7.  The documents talk about vulnerabilities in certain brands of routers and and WiFi access points.

Apparently the CIA likes hacking routers because it is highly unlikely that you would detect it since there are no indications that it has been compromised.  After all, other than a couple of blinking lights, most routers have no user interface at all.

According to the leak, the CIA tool is called Claymore and it figures out what model router you have and then runs a suite of attacks against it – tailored to that router.  If it succeeds, it now owns your router and can make it do whatever they want.

For example, once the CIA hacks the router it can install its own software which might route all of your traffic through one of their monitoring points.  If they are replacing the software in the router, they could do anything they want.

I hear you – I don’t have anything the CIA wants.

That could be true.  Likely it is.

But do you have anything that an average-bear hacker might be interested in?  Does your business?

While the CIA folks are sharp, this attack ain’t rocket science.  In fact it is sort of junior high.  The particular tools that they are using might be sophisticated, but the are leveraging the fact that most people do not patch their routers.  Ever!

So what should you do?

  1. Change the default password.  PLEASE!  That is the first thing that hackers are going to try and do.
  2. Find out how to upgrade your router and do that monthly, if not more often.
  3. Better yet, pick a router that automatically looks for and installs its patches.  Then you don’t have to deal with it.

While this is not going to stop everyone, at least the hacker will have to be out of elementary school to break in.

Information for this post came from Wired.