Slashdot Mirror

← Back to Stories (view on slashdot.org)

WikiLeaks Unveils CIA Implants That Steal SSH Credentials From Windows, Linux PCs (thehackernews.com)

Posted by BeauHD on from the remote-entry dept.

An anonymous reader quotes a report from The Hacker News: WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors. Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network. Dubbed BothanSpy -- implant for Microsoft Windows Xshell client, and Gyrfalcon -- targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu. Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.

7 of 140 comments (clear)

  1. Illegal by Anonymous Coward · · Score: 5, Informative

    I thought hacking was illegal under the computer crimes and abuse act?

    1. Re:Illegal by bobbied · · Score: 4, Informative

      For you yes it is illegal... For the government? Not so much...

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:Illegal by Anonymous Coward · · Score: 3, Informative

      I thought hacking was illegal under the computer crimes and abuse act?

      You thought wrong.

      18 U.S. Code 1030 - Fraud and related activity in connection with computers
      (a) Whoever—
      (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information....

      (f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

  2. So... by Anonymous Coward · · Score: 5, Informative

    FTA

    BothanSpy is installed as a Shellterm 3.x extension on the target machine and only works if Xshell is running on it with active sessions.

    The user manual for Gyrfalcon v2.0 says that the implant is consist of "two compiled binaries that should be uploaded to the target platform along with the encrypted configuration file."

    You need an attack vector to implant the malware.

    1. Re:So... by J053 · · Score: 4, Informative

      Not only that, the Gyrfalcon User Manual (Page 6) says:

      1. Extract the files from the 'upload' directory in the tarball (see section 2.3.1). Both the gyr64-linux
      (or gyr32-linux) and the encrypted config file (in the example, .gfconf) are needed. The
      executable can be renamed to suit the operation.
      2. Upload the files to the target using whatever means available. Place them in the 'Working
      Directory' (as specified in the configuration).
      3. Change to the working directory and execute gyrfalcon as root:
      $ su – (if necessary)
      # cd /gyrfalcon/working/directory
      # ls -a
      . .. .gfconf gyr64-linux
      # ./gyr64-linux /dev/null
      #

      So, someone who has root access to a Linux system can get the SSH keys of any user of that system. Well, duh....

  3. There's no security hole here by Anonymous Coward · · Score: 5, Informative

    The manual says, "Upload the files to the target using whatever means available."
    This is something an agent puts on an already-compromised machine.

  4. Stallman would say... by lannocc · · Score: 1, Informative

    Just change your password to . Passwords are a form of control; be free!

    --
    -IOVAR Web Dev Platform