Slashdot Mirror

← Back to Stories (view on slashdot.org)

WikiLeaks Unveils CIA Implants That Steal SSH Credentials From Windows, Linux PCs (thehackernews.com)

Posted by BeauHD on from the remote-entry dept.

An anonymous reader quotes a report from The Hacker News: WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors. Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network. Dubbed BothanSpy -- implant for Microsoft Windows Xshell client, and Gyrfalcon -- targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu. Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.

22 of 140 comments (clear)

  1. Illegal by Anonymous Coward · · Score: 5, Informative

    I thought hacking was illegal under the computer crimes and abuse act?

    1. Re:Illegal by bobbied · · Score: 4, Informative

      For you yes it is illegal... For the government? Not so much...

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:Illegal by Anonymous Coward · · Score: 5, Insightful

      It's also illegal for the government. But they just look the other way like any good tyrant would. The way law works is to either take specific rights away from citizens by saying "thou shalt not X" (for example you will not break into someone's computer and steal information), or to grant specific rights to governments by saying "The government can X" (you can break into someone's computer and seize information IF YOU HAVE A WARRANT).

      Unfortunately governments over time adopt the attitude that they are allowed to do things if it's not prohibited by law. That is completely wrong. It's the citizen who is allowed to do anything that's not prohibited by law. Government requires law to grant them the right to do anything, otherwise they can't do it. But when you just ignore the law anyway because you know no one will prosecute you, or you can just pull out the "National Security" card...

    3. Re:Illegal by Anonymous Coward · · Score: 3, Informative

      I thought hacking was illegal under the computer crimes and abuse act?

      You thought wrong.

      18 U.S. Code 1030 - Fraud and related activity in connection with computers
      (a) Whoever—
      (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information....

      (f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

    4. Re:Illegal by rtb61 · · Score: 5, Insightful

      For foreign governments, still very much so and according to the US government, a declaration of war, as they have stated repeatedly. According to the US Government's own big fat fucking mouths, when they hack your countries network, they have committed an act of war and should face the consequences. It would seem according to the US Governments own stance, that the US government should be publicly rebuked by the United Nations for committing acts of war all over the world, as defined by the US government.

      --
      Chaos - everything, everywhere, everywhen
    5. Re:Illegal by Pseudonym · · Score: 2

      In many jurisdictions, it's technically illegal for an emergency service vehicle (e.g. police car, fire engine, ambulance) to speed or break red lights. It's also illegal to prosecute them if they're attending to an emergency.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
    6. Re: Illegal by easyTree · · Score: 2

      Spontaneous outbreaks of terror attacks appear to have a chilling effect on such expressions of dismay.

      --
      Requiem for the American Dream
    7. Re:Illegal by quenda · · Score: 4, Interesting

      they have committed an act of war and should face the consequences.

      What consequences? The previous US gov't admitted to Stuxnet, a clear act of war - major sabotage, not just spying. And the consequences?
      None, except setting a precedent for everybody else. Its hard for the US to be taken seriously now if condemning other countries for cyber-attacks.

    8. Re:Illegal by Mashiki · · Score: 2

      It also creates loopholes for people, and smart people. Look at the case of the guy who was arrested and charged with CP. He either ended up with a severely reduced sentence, or it being dropped by the court(can't remember which), because while the government broke the law to discover who he was -- they were unwilling to disclose how they found out who he actually was. In western law there's a fundamental right of full disclosure, if the prosecution is unwilling to do that you're likely going to walk away as a free man.

      --
      Om, nomnomnom...
    9. Re:Illegal by BlueStrat · · Score: 2

      (f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

      And therein lies the problem. No law, Act, nor Executive Order can allow the government to legally violate the US Constitution. They pretend it's not so, but it is and they are in violation of their oaths of office as well as guilty of numerous and blatant violations of civil rights under color of law and should be incarcerated for the rest of their lives with no chance of parole, at minimum.

      An unconstitutional law is no law at all. And no, nine guys in black robes are *not* the final arbiters, the people are.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    10. Re:Illegal by Wootery · · Score: 2

      ZDNet article on that case.

    11. Re:Illegal by BlueStrat · · Score: 2

      The people want free healthcare, and free housing, and free income. They DON'T want freedom nor the responsibility that comes with it.

      There's already a place right here in the US and in every nation on Earth where those people can have all of that free stuff and enjoy a life free from responsibility.

      It's called a "prison".

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  2. So... by Anonymous Coward · · Score: 5, Informative

    FTA

    BothanSpy is installed as a Shellterm 3.x extension on the target machine and only works if Xshell is running on it with active sessions.

    The user manual for Gyrfalcon v2.0 says that the implant is consist of "two compiled binaries that should be uploaded to the target platform along with the encrypted configuration file."

    You need an attack vector to implant the malware.

    1. Re:So... by J053 · · Score: 4, Informative

      Not only that, the Gyrfalcon User Manual (Page 6) says:

      1. Extract the files from the 'upload' directory in the tarball (see section 2.3.1). Both the gyr64-linux
      (or gyr32-linux) and the encrypted config file (in the example, .gfconf) are needed. The
      executable can be renamed to suit the operation.
      2. Upload the files to the target using whatever means available. Place them in the 'Working
      Directory' (as specified in the configuration).
      3. Change to the working directory and execute gyrfalcon as root:
      $ su – (if necessary)
      # cd /gyrfalcon/working/directory
      # ls -a
      . .. .gfconf gyr64-linux
      # ./gyr64-linux /dev/null
      #

      So, someone who has root access to a Linux system can get the SSH keys of any user of that system. Well, duh....

    2. Re:So... by K.+S.+Kyosuke · · Score: 2

      You need an attack vector to implant the malware.

      Did many Bothans die to bring you this information?

      --
      Ezekiel 23:20
    3. Re: So... by hey! · · Score: 2

      Just because the manual is written as if you had a human typing commands into a shell doesn't necessarily mean that's how it was expected to be used. I imagine that when you're writing the manual for a piece of secret software you're supposed to be discreet about describing the exact capabilities other pieces of secret software have. At least I would be.

        In any case the precise vector used probably changes over time

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  3. Again? by WolfgangVL · · Score: 2

    I think I remember seeing this very tool in the "NSA catalog" type thing from the big ES leak.

    Just more proof; if it's on a computer, its insecure.

    --
    You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
  4. There's no security hole here by Anonymous Coward · · Score: 5, Informative

    The manual says, "Upload the files to the target using whatever means available."
    This is something an agent puts on an already-compromised machine.

  5. Re:Windows, Linux... by Anonymous Coward · · Score: 3, Funny

    Nope. Apple installed their own implants except they have round edges.

  6. Re:At one point by skids · · Score: 4, Insightful

    C'mon... I'd be mad if our intelligence agencies didn't have this. This is just post-exploit kit. They'd be incompetent if they didn't have it. Even more incompetent than they were for letting this material escape the barn.

    The thing to get mad about is sabotage of products to maintain backdoors, and keeping bugs secret.

    --
    Someone had to do it.
  7. Re:At one point by quonset · · Score: 2

    What are you whining about? It's their job to be sneaky and surreptitiously collect data.

    You think they should announce to the world all the vulnerabilities they've found so those means can be closed? If those attack vectors are on the machine of a foreign government they provide invaluable ways of collecting data which don't involve putting someone's life at risk.

    What do you think a spy agency does? Tell their target, "Hey, we're going to put this software on your machine so we can listen in and record everything you do. Mkay?"

    I swear, people on here seem to think they're smarter than the average bear, but in reality their IQ falls with every breath they take.

  8. Re:At one point by Desler · · Score: 2

    You think they should announce to the world all the vulnerabilities they've found so those means can be closed?

    Yes, because we all become less safe when they are kept secret. Unless you're dumb to think only the US can find the vulnerabilities.