Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Saturday July 08 2017, @09:30AM   Printer-friendly
from the feeling-secure? dept.

WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors.

Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network.

Dubbed BothanSpy — implant for Microsoft Windows Xshell client, and Gyrfalcon — targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.

Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.

BothanSpy is installed as a Shellterm 3.x extension on the target machine and only works if Xshell is running on it with active sessions.

[...] Gyrfalcon targets Linux systems (32 or 64-bit kernel) using a CIA-developed JQC/KitV rootkit for persistent access.

Source: The Hacker News

The latest addition to WikiLeaks' Vault 7 cache of CIA tools and documents gives details of tools used by the agency to attack Windows and Linux computers. The BothanSpy and Gyrfalcon projects can be used to intercept and exfiltrate SSH (Secure Shell) credentials.

BothanSpy is used to target Windows, while Gyrfalcon is used for Linux machines, with both working in different ways. A number of popular distros can be hit by Gyrfalcon, including CentOS, Debian, RedHat, openSUSE and Ubuntu, and both tools function as implants that steal credentials before transmitting them to a CIA server.

The leaked documentation for the tools was updated as recently as March 2015, and the file relating to BothanSpy reveals that XShell needs to be installed as it itself installs as a Shellterm extension. There are smatterings of humor throughout the file, with a warning that: "It does not destroy the Death Star, nor does it detect traps laid by The Emperor to destroy Rebel fleets." There is also the introductory quip: "Many Bothan spies will die to bring you this information, remember their sacrifice."

Source: BetaNews


Original Submission

Related Stories

Default OpenSSH-Portable RSA Private Key Encryption is Poor 15 comments

The Latacora firm has a blog post asserting that OpenSSH-portable has poor defaults for encrypting private RSA keys because of its reliance on OpenSSL. The blog goes into why this is a problem and how you can test it for yourself.

There is nothing wrong with the generated RSA keys themselves, however, just the encryption of the private RSA keys -- if made using current defaults. There are two ways of encrypting RSA keys, an old and apparently insecure way, and a new key format available but not default. Newer key types like Ed25519 use only the new key format and are not bothered by this problem.

Earlier on SN:
WikiLeaks Unveils CIA Implants That Steal SSH Credentials From Windows, Linux PCs (2017)
Upgrade Your SSH Keys (2016)
OpenSSH 6.8 Will Feature Key Discovery and Rotation for Easier Switching to DJB's Ed25519 (2015)


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Insightful) by Snotnose on Saturday July 08 2017, @11:25AM (3 children)

    by Snotnose (1623) on Saturday July 08 2017, @11:25AM (#536493)

    but they've been busy little beavers the past decade or so. Busy evil beavers, but still. Ya gotta admire their work ethic.

    / assholes
    // they could have done wonders in making us all more secure
    /// but noooooooo

    --
    Why shouldn't we judge a book by it's cover? It's got the author, title, and a summary of what the book's about.
    • (Score: 4, Insightful) by JoeMerchant on Saturday July 08 2017, @12:43PM (2 children)

      by JoeMerchant (3937) on Saturday July 08 2017, @12:43PM (#536508)

      More secure is not their goal.

      Exposure of these exploits will drive greater security in the future.

      Who's your hero here?

      --
      🌻🌻 [google.com]
      • (Score: 2) by JNCF on Saturday July 08 2017, @03:17PM (1 child)

        by JNCF (4317) on Saturday July 08 2017, @03:17PM (#536545) Journal

        In hindsight "BothanSpy" seems like a particularly poor choice of metaphors, given that the plans for it have been from the Empire by the Rebels.

        • (Score: 2) by JoeMerchant on Saturday July 08 2017, @06:17PM

          by JoeMerchant (3937) on Saturday July 08 2017, @06:17PM (#536597)

          The agency created the name, probably somebody in there trying to convince themselves that they were the good guys.

          --
          🌻🌻 [google.com]
  • (Score: 2) by kaszz on Saturday July 08 2017, @11:37AM (3 children)

    by kaszz (4211) on Saturday July 08 2017, @11:37AM (#536494) Journal

    It seems to be affected the machine already must have been compromised with some rootkit. Thus keep a lookout for modified system files, loadable kernel modules, what processes that are loaded and firewalls:

    Gyrfalcon targets Linux systems (32 or 64-bit kernel) using a CIA-developed JQC/KitV rootkit for persistent access. /../ Gyrfalcon is also capable of collecting full or partial OpenSSH session traffic, and stores stolen information in an encrypted file for later exfiltration.

    The rest of the tools seems to 90% be about the Microsoft shit and some IoT that let their microphones and cameras do all kinds of surveillance for free. Thus it might be an idea to really tighten your firewall, both ways. And actively destroy any WiFi traffic.

    This also makes it obvious that binary blobs is a gigantic security vulnerability and that being able to run free open source software on bought hardware should be a requirement when that is possible. This means BIOS, Intel AMT, harddisc firmware, Network interface firmware, Raspberry-Pi graphics blob, NVidia free but binary only driver, network equipment etc. Be aware of processes or modules residing in memory that lack a corresponding binary. In memory only executable are used to cover tracks so at least a minimum reboot can flush them.

    Be observant on how careful your peers are with sensitive information. If they blabber about it on facebook, twitter or any other junk service, then stop divulging anything to them. The same goes if they use insecure devices to communicate your personal information on Microsoft Windows 10 or computerphones (smartphones).

    It might be useful to account detailed usage of energy, network, radio spectrum etc to spot electronic intrusions.

    • (Score: 3, Funny) by c0lo on Saturday July 08 2017, @11:55AM

      by c0lo (156) Subscriber Badge on Saturday July 08 2017, @11:55AM (#536500) Journal

      Eh, you can skip the all the above by simply relocation to Las Vegas: what happens there, stays there, guaranteed no ex-filtration.

      (grin)

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    • (Score: 2) by frojack on Saturday July 08 2017, @04:55PM (1 child)

      by frojack (1554) on Saturday July 08 2017, @04:55PM (#536573) Journal

      machine already must have been compromised with some rootkit.

      Exactly. Once you have that, you could just as well email the private keys and be done with it.

      I suppose the real target here is the recording of live ssh sessions, but that seems once you have your root kit in place you wouldn't need any ssh keys anymore because its easier to grab the data after it has been decrypted.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by kaszz on Saturday July 08 2017, @05:24PM

        by kaszz (4211) on Saturday July 08 2017, @05:24PM (#536577) Journal

        Rather by extracting the keys the traffic can be tapped and decoded from the network backbone, just like "Room 641A" in San Francisco hints. That way no extra ex-filtration traffic is required and all recording can be done in silence.

  • (Score: 2) by kaszz on Saturday July 08 2017, @12:19PM (4 children)

    by kaszz (4211) on Saturday July 08 2017, @12:19PM (#536503) Journal

    Qzukk at the green slime site says:

    The key is in collecting them from the openssh client/key agent memory between the time you enter the passphrase to decrypt it, and the time it's eventually unloaded from RAM.

    So distrust your own memory?
    Bobby trap memory sections?

    • (Score: 4, Insightful) by maxwell demon on Saturday July 08 2017, @12:57PM

      by maxwell demon (1608) on Saturday July 08 2017, @12:57PM (#536510) Journal

      The moment an attacker got root on your system, there's nothing on that system which you can still trust.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 2) by isostatic on Saturday July 08 2017, @06:52PM (2 children)

      by isostatic (365) on Saturday July 08 2017, @06:52PM (#536605) Journal

      Bobby trap memory sections?

      Is he related to Bobby Tables?

      • (Score: 2) by kaszz on Saturday July 08 2017, @11:06PM (1 child)

        by kaszz (4211) on Saturday July 08 2017, @11:06PM (#536677) Journal

        Rather set memory regions as protected areas so any access will segfault where the snooping process will not expect it. But which will normally not be triggered because no other process is supposed to read there. Another way is some kind of breakpoint but that is likely setup the same way.

        • (Score: 0) by Anonymous Coward on Monday July 10 2017, @02:11PM

          by Anonymous Coward on Monday July 10 2017, @02:11PM (#537116)

          I'm pretty sure he was referring to your misspelling of "booby trap".

  • (Score: 3, Funny) by digitalaudiorock on Saturday July 08 2017, @02:16PM

    by digitalaudiorock (688) on Saturday July 08 2017, @02:16PM (#536535) Journal

    The key here is clearly to use PuTTY, as even the CIA won't be able to figure out how to properly convert them to usable keys (ducks)...

  • (Score: 0) by Anonymous Coward on Saturday July 08 2017, @03:51PM (2 children)

    by Anonymous Coward on Saturday July 08 2017, @03:51PM (#536553)

    all these stories about tools that do the basic work of reading and exfiltration data are interesting and everything but how about the initial exploits. as others have said, none of this bullshit works unless they already have control of your OS. well, no shit. what we need to know is what They are doing to get on the systems to begin with.

    • (Score: 3, Interesting) by frojack on Saturday July 08 2017, @05:09PM (1 child)

      by frojack (1554) on Saturday July 08 2017, @05:09PM (#536575) Journal

      what we need to know is what They are doing to get on the systems to begin with.

      I suspect you already know the answer to that. Its built into Windows. Its Delivered Post-install with your next update. Its probably built into browsers or add-ons/plugins. Who's really funding Adobe?, Skype? VPN hosting networks?

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by kaszz on Saturday July 08 2017, @05:41PM

        by kaszz (4211) on Saturday July 08 2017, @05:41PM (#536582) Journal

        In the case of Skype it's owned by Microsoft. And that is the company that was first in bed with the letter combinations.
        I think that sets the frame work for the rest.

  • (Score: 0) by Anonymous Coward on Sunday July 09 2017, @01:13AM

    by Anonymous Coward on Sunday July 09 2017, @01:13AM (#536714)

    Did Russians already used this for hacking the US elections and nukes? No? What a waste.

(1)