WikiLeaks Reveals A CIA LAN-Attacking Tool From 'Vault 7'

An anonymous reader quotes BetaNews: WikiLeaks continues to release revealing documents from its Vault 7 cache. This time around the organization introduces us to a CIA tool called Archimedes -- previously known as Fulcrum. As before, there is little to confirm whether or not the tool is still in active use -- or, indeed, if it has actually ever been used -- but the documentation shows how it can be installed on a LAN to perform a man-in-the-middle attack.

The manual itself explains how Archimedes works: "Archimedes is used to redirect LAN traffic from a target's computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web server response that will redirect the target's web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session."
HotHardware notes that WikiLeaks "also provided the full documentation for Fulcrum, which goes into much greater detail about how the man-in-the-middle operation is conducted" -- including this instruction in the guide's "Management" section. "If you are reading this then you have successfully delivered the Fulcrum packages and provided the binaries with code execution. Hoorah! At this stage, there is not much to do other than sit back and wait."

Putin

Putin is in the midst of a man in the middle attack on America. Trump's the Middle Man.

Ettercap

W00h00, they reinvented ettercap:
# ettercap -i eth0 -T -M arp /192.168.111.1/ /192.168.111.2/

Re:Ettercap

[sml156]

W00h00, they reinvented ettercap: # ettercap -i eth0 -T -M arp /192.168.111.1/ /192.168.111.2/

Get with the times:
# bettercap -X -L -T 192.168.111.2

Re:Ettercap

Nice! I wasn't aware of the new one, but OK, bettercap also reinvented ettercap...

Re:Now Trump can stop this!

What makes you think that Trump would want to stop this?

That shit about people projecting their own values onto Trump is the real deal, all right.

What About HTTPS?

If this tool cannot support forging a response such that it appears to have come from the requested server then it would seem to have limited use. One of the reasons why X.509 certificates, which are the sort commonly used for SSL and HTTPS, are signed is to prevent a MITM from successfully impersonating the response by introducing a third party co-signer of the original certificate, namely the certificate authority. The situation could be complicated still further by the use of an encrypted point-to-point or site-to-site connection through SSH or VPN. This is the sort of tool that might work on a naive or unsophisticated target, but against an well informed and equipped adversary it would probably not suffice, unless it has the capability to punch through the security measures described above too, which would be impressive to say the least.

Re:What About HTTPS?

[scdeimos]

You put far too much faith in HTTPS.

The default settings of SSL/TLS libraries on most operating systems make man-in-the-middle attacks trivial. When an SSL/TLS session is negotiated only the following things are validated:

1. The origin server certificate trust chain is ultimately signed by a Trusted Root certificate - any trusted root certificate.
2. The valid-from and valid-to dates on the certificate are current.
3. The desried host name is in the Subject or SubjectAlt fields, which is a useless check with 0% value.

So, why would I say that the host name check is a useless check with 0% value? Because TLS has been neutered since SNI was introduced (RFC 3546 Transport Layer Security Extensions # Server Name Indication). Before then SSL/TLS was "reasonably secure" but since then it is virtually worthless. Under SNI the connecting client tells the origin server which host name it is connecting to and, thanks to that gaping hole, the origin server (or any man-in-the-middle appliance) has enough information to either generate a fake certificate or pull one out of its cache.

Re:What About HTTPS?

SNI is not the problem.

If you have the ability to generate valid certificates that chain properly to a trusted root certificate, then with or without SNI doesn't matter. Without SNI the every server name would have to have a unique IP, so the MITM would know who you're connecting too. With SNI you have to tell the server which identity you're trying to connect to, so the MITM would know who you're connecting to.

SNI doesn't change the security of SSL/TLS.

Re:What About HTTPS?

[AHuxley]

Might save a user on a wider global network. A Project Bullrun or Edgehill seemed to show some thinking about the HTTPS issue https://en.wikipedia.org/wiki/....
Back in the plain text part at the safe end of the LAN network?

Re:What About HTTPS?

[scdeimos]

I think maybe your head is in the sand if you can't see how SNI weakened TLS as a security protocol. SNI was created because Web Hosters and businesses didn't want to keep paying for additional IPv4 address space - prior to that you could only host a single SSL/TLS-enabled web site on any given IPv4's tcp/443. Instead of migrating everybody to IPv6 where every host could have a unique address they pushed for SNI to add HTTP Host-like header capabilities to TLS.

Your premise that SNI is not a huge problem is only valid if, and only if, you can guarantee that every single trusted root certificate (and every single Server Identity capable intermediate certificate signed by them) has never been compromised by an attacker. Show me any US-based Certificate Authorities issuing NSL canaries and the like. Some CAs don't even specify a maximum chain length on their root/intermediate certificates.

If you'd like to see a practical HTTPS man-in-the-middle demonstration on your favorite Windows desktop just install Telerik's Fiddler tool and enable the HTTPS Intercept option. This installs its own certificate into your Trusted Root Certificate store and then re-encrypts all of your HTTPS connections so you can inspect the traffic.

Re:What About HTTPS?

from your posts it is clear you have no real world practical experience. high-level attackers are not intercepting ssl en-masse as there is no need.

you either serve your exploit by dropping in some code to an unencrypted http stream (everyone leaks some http out of their browser) or if you are in possession of a ca cert you target specific things (software updates, popular websites) and do it that way.

your point about sni, while technically valid, doesn't actually weaken anything in the real world because things are fucked enough already.

Re:What About HTTPS?

[scdeimos]

I never said there were not easier ways to infiltrate computers. If you actually read what I replied to I was pointing out that the parent put far too much faith in the ability of X.509 certificates and SSL and HTTPS, apparently assuming that they are the cure-all for MITM attacks when, in fact, they most definitely are not. (At least not as currently implemented.)

Re:What About HTTPS?

> ...thanks to [SNI], the origin server (or any man-in-the-middle appliance) has enough information to either generate a fake certificate or pull one out of its cache.

I... uh... If the server can _generate a new, valid, TLS cert for a given host_, and you don't trust that server, then you've already goddamn lost.

I mean, have you even thought for more than ten minutes about how this works? If a host along the path has that power, then SNI _doesn't weaken_ your security posture. Why? Because _without SNI_, then you can't have more than one TLS cert for a given IP address. To make it clear for you:

* Without SNI, there is exactly _one_ TLS cert presented for a given IP address.

* With SNI, there can be multiple TLS certs presented for a given IP address, and the client sends along the name of the one it wants to talk to.

In _both_ cases, the attacker that you described knows _exactly_ which domain names to stuff into the TLS cert that the client will be presented with.

Read (and understand) a goddamn RFC some time. Jesus.

Vote Parent Down, -1 Misinformed Histrionics.

Re:What About HTTPS?

[phantomfive]

Is there a proof-of-concept or anything for this vuln? I can't find anything.....I did find this, which clearly shows that HTTPS is vulnerable to hostile governments, but that's not the exploit you're talking about.

Re:What About HTTPS?

> ...[Fiddler] installs its own certificate into your Trusted Root Certificate store...

Yep. Fiddler is ancient, and has nothing to do with SNI. It speaks poorly of the current crop of meta-moderators that your misinformed commentary is ranked "Insightful".

> I think maybe your head is in the sand if you can't see how SNI weakened TLS as a security protocol....

And you're an ignorant alarmist if you don't see how SNI does absolutely nothing to change the security posture of TLS.

Look dreadfully closely at my bullet points in my first message. You'll find enlightenment.

Re:What About HTTPS?

[BronsCon]

prior to that you could only host a single SSL/TLS-enabled web site on any given IPv4's tcp/443.

Which, of course, meant that knowing which IP address someone was communicating with using SSL also meant knowing which site they were visiting. Now, with SNI, you need more than the packet headers to determine which site someone is talking to.

It's no more or less secure, the same number of attack vectors exist, and with the same difficulty of attack; the attack surface just looks different now. That you can see the new attack vector but completely missed the old one does not change that.

So I see you're talking to an IP address that is known to only host somesitethensacaresabout.net, I then know you're talking to somesitethensacaresabout.net and can go ahead and forge a certificate for that site, poison your DNS, and inject myself in the middle. That's before SNI, and still today for sites not utilizing SNI.

Today? I see you're talking to an IP address that is known to host somesitethensacaresabout.net, anothersitethensadoesntcareabout.com, yetanothersitethensadoesntcareabout.com, onemoresitethensadoesntcareabout.com, additionalsitethensadoesntcareabout.com, someothersitethensadoesntcareabout.com, and stillanothersitethensadoesntcareabout.com, along with dozens of others. I can't guess which site you're trying to reach, so I either have to obtain certificates for all of them and *severely* poison your DNS (with dozens of falsified entries) and hope you're talking to the site I actually care about, or skip the certificates initially and just severely poison your DNS to see which site you're talking to (at which point you'll know something is up because your connections will fail due to lack of a proper certificate) before bothering to get a certificate.

One of those is a fair bit more work and much easier to detect.

Re:What About HTTPS?

....and correct me if I'm wrong, since it is quite possible I've missed something, but this all still hinges on the attacker either A) having a valid cert signed by a trusted authority, or B) setting himself up as a trusted authority on your system.

At the point of B, who gives a shit if they can intercept HTTPS traffic? They own the system already. They can just keylog and screencap everything.

Re:What About HTTPS?

"This installs its own certificate into your Trusted Root Certificate store and then re-encrypts all of your HTTPS connections so you can inspect the traffic."

Yeah, that's trivial when you install a cert that says "I am the root of the internet and authoritative for everything". Otherwise you're limited to whatever domain space you managed to get a valid intermediate for, just like without SNI. That's still bad, but that's why we have revocation lists and whatnot.

Re:What About HTTPS?

That's still bad, but that's why we have revocation lists and whatnot.

More often than not CRLs are not even checked. Every good MiTM attacker is going to add a CRL URL to their fake certificate... not.

Re:What About HTTPS?

Regardless of IPv4 or IPv6 you're not generally going to know that a given IP address is associated with somesitethensacaresabout.net - that only happens if there's a PTR record telling you that. Most hosting companies (including Amazon) set up PTR records for their address space using their own infrastructure names, e.g.: ip-10-10-10-10.us-west-1.compute.amazon.com. Those usually only get changed if the customer is running a mail server on those addresses and makes the appropriate requests.

US Cert apparently thought HTTPS Interception bad enough to issue Alert (TA17-075A) HTTPS Interception Weakens TLS Security about it earlier this year.

Re:What About HTTPS?

[BronsCon]

You connect to the IP address on port 443 and, well, wouldn't ya know it, you're presented with the site's public certificate which, in turn, identifies the site. Aside from that, do you really thing the NSA (as in my example) doesn't know the IP address of every public-facing server hosting somesitethensacaresabout.net?

I see why you posted anonymously.

Re:What About HTTPS?

Wow, this is the biggest load of crap I've read about TLS on here in a while. This assumes the server you're connecting to is already compromised or your attacker can issue signed certificates from a trusted CA, if that was the case, SNI is irrelevant.

Julian Assange

The hero of the people.

Re:Julian Assange

In exile, just like Snowden. They have learned how willing "the people" are to return the favor to their heroes.

Re: Julian Assange

The hero of dumb people maybe.
The story should be titled "Assange desperate to remain relevant, leaks worthless information, fanbois desperate to ride his cock eat it up like candy."

Re: Julian Assange

Yup!

Meh, ettercap and arp poisioning are old

I was messing about with MSN session on the local lan well before this.

It's amazing how you can fuck up a conversation between two people by using regexps to replace the occasional word 'Hi' with 'Dude' and 'LOL' with 'fuck me'

Chuck

Didn't Chuck beat Fulcrum in season 4?

Re: Now Trump can stop this!

Trump said he was going to stop this.

ARP poisoning?

[schweini]

This sounds like a simple ARP poisoning attack? No big deal?

Re:ARP poisoning?

[BlueStrat]

This sounds like a simple ARP poisoning attack? No big deal?

Pretty much what it appears. LAN attacks are pretty standard stuff, the nasty (and interesting) stuff would be the binaries and other bits they drop into the machine(s) after a successful penetration. There might actually be more relevant/usable/informative bits in the documentation than in the tools themselves.

Good to see Assange isn't backing down from the US-led "Five-Eyes" international surveillance state that turned their resources inwards on their own domestic populations after the Cold War's end.

Strat

Re:ARP poisoning?

[StormReaver]

...the nasty (and interesting) stuff would be the binaries and other bits they drop into the machine(s) after a successful penetration.

I disagree. Windows compromises are about as newsworthy as, "man flushes toilet. News at 11." If you're running Windows on a network, you're probably compromised. End of story.

The only interesting part of all of this is: how are the systems being compromised? If it's Windows-only, then big frigging deal. If you're running Windows, you MUST always behave as if you have been comprised. Because you probably have been. Mac OS to a lesser extent, but Apple likes to disable or bypass the effective parts of BSD security in the misguided attempt at ease of use.

But if these attacks are successfully penetrating Linux or standard BSD systems, then THAT'S news.

Re:ARP poisoning?

[BlueStrat]

I disagree. Windows compromises are about as newsworthy as, "man flushes toilet. News at 11."

It's not the Windows compromises themselves that are the "interesting" part, it's all the information and clues that can be gleaned from them about things like precisely what data is being collected, by whom, where it's sent, how often, where/what servers are sending it instructions, etc etc. There's a possible treasure-trove of useful data that can be gleaned, or at least hints and clues to further investigations and possible paths towards mitigation strategies.

Strat

Re:ARP poisoning?

It's literally a tweaked and recompiled ettercap.

*yawn*

Um... this is common?

Almost every corporation in America uses the exact same technique to snoop and log employees' browsing habits. SSL MITM injection is nothing new at all.

The way forwards....

IMHO as a none-expert.

Track and flag certificates, a certificate that's been seen all the time for a site is trusted, one that suddenly appears is untrusted. Indicate this to the user.

Remove the "valid-to" date. It defines a date where the certificate can legitimately be discarded and replaced. That is a date known to an attacker, it tells them when they can man in the middle attack. All certificates forward need to be issued with certs into the far distance. Neither party can change the cert without breaking the trust.

Self signed is not evil. If it's time that ultimately confirms the certificate, not the certificate authority.

Side note: I assume SNI was introduced for when servers run multiple virtual sites on the same IP address?? That won't change anytime soon given the limited IP addresses.

Re: Now Trump can stop this!

[PopeRatzo]

Trump said he was going to stop this.

He also said Trumpcare was going to cover everyone.

So what's it used for really?

Is this the sort of thing that allows them to turn anyone into a terrorist or pedophile, by sending whatever they want no matter what the actual request had been?

New or not, important to know and document

[jbn-o]

Perhaps not new to IT admins but quite new to the vast majority of computer users who were likely unaware such things were possible, being done by the US government, and possibly affecting their non-work Internet access. Documentation like this and the Snowden revelations also help put a quick stop to anyone trying to minimize the importance of the news, particularly by making fun of the critique along the 'tin-foil hat' line. It's critically important that people know what's being done in their name. As other WikiLeaks documents show governments do pernicious things (including mass surveillance and extrajudicial murder).

interesting

I am not surprised of this LAN tools and attacks within my LAN.
At home my old machines are being attacked by new Android devices which joins my network. I was always wondering why those newly bought Android devices keeps on attacking other endpoints on my LAN. This happened around 5 years ago, and I don't trust all devices on my LAN since then, even if they were newly bought and have default factory apps. I know something fishy with those android and Win7 machines in my LAN.

Archimedes...

[trabby]

So if the tool is called Archimedes, does it use a bath-overflow exploit?

For those claiming this isn't much...

[zedaroca]

Yes, ettercap, ARP poisoning, etc... technically this is something that has been done before with other tools.
The importance of the publication is for detection/protection and for attribution. A lot of people will know who is/was after them, messing with their systems, etc.
Since we are talking about murderers, it is very good to know.

Why leak this?

[sabbede]

I thought Wikileaks was for blowing the whistle on wrongdoing. Is the CIA using these tools to spy on innocent civilians? Are they using them in domestically in the US in violation of Federal law? Was there some pressing public need to have the tools spies use to spy on each other revealed?

Where is the public benefit to this leak? If these tools were not being misused, isn't this just harming public security?

Re:Why leak this?

Wikileaks has proven they are not some benevoland organization dedicated to transparency. They cherry pick what they have to target who and what they want, e.g. Hilary Clinton's campaign while leaving Trump's campaign unscathed.

Re:Why leak this?

It is interesting to know how exactly the CIA spies on people. However, the pearl-clutching over the CIA doing what it's explicitly set up to do is nothing more than smoke and mirrors. Ever wonder why we don't see equivalent leaks of the Russian FSB?

Re: Why leak this?

[Rujiel]

You're claiming WL had something on trump that wasn't released. What's your proof? You realize WL didn't acquire the clinton emails to begin with? So "y u no hack trump wikileaks!! " is pretty silly.

Re: Now Trump can stop this!

[coofercat]

I'm not an American, but I'm not really sure 'Trumpcare' is what I'd like covering me under any circumstances.

Re: Now Trump can stop this!

[mab]

Sure did

https://www.washingtonpost.com/politics/trump-vows-insurance-for-everybody-in-obamacare-replacement-plan/2017/01/15/5f2b1e18-db5d-11e6-ad42-f3375f271c9c_story.html?hpid=hp_hp-top-table-main_trump-interview-822pm%3Ahomepage%2Fstory&utm_term=.947feeb07e26