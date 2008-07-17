from the feeling-secure? dept.
WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors.
Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network.
Dubbed BothanSpy — implant for Microsoft Windows Xshell client, and Gyrfalcon — targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.
Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.
BothanSpy is installed as a Shellterm 3.x extension on the target machine and only works if Xshell is running on it with active sessions.
[...] Gyrfalcon targets Linux systems (32 or 64-bit kernel) using a CIA-developed JQC/KitV rootkit for persistent access.
The leaked documentation for the tools was updated as recently as March 2015, and the file relating to BothanSpy reveals that XShell needs to be installed as it itself installs as a Shellterm extension. There are smatterings of humor throughout the file, with a warning that: "It does not destroy the Death Star, nor does it detect traps laid by The Emperor to destroy Rebel fleets." There is also the introductory quip: "Many Bothan spies will die to bring you this information, remember their sacrifice."
