WikiLeaks Exposes CIA’s SSH Hacks for Windows and Linux
WikiLeaks has released new documents in their Vault 7 series of leaks exposing the CIA’s hacking tools. The new documents cover tools that the CIA uses to hack the Secure Shell (SSH) cryptographic protocol. SSH allows users to securely access other computers remotely over an unsecured network. Two exploits that allow the CIA to capture and exfiltrate SSH credentials are covered in the new release by WikiLeaks. These SSH exploits target SSH users who are running Windows or Linux operating systems. The two SSH hacks are known as BothanSpy and Gyrfalcon.
BothanSpy is used by the CIA to steal the usernames and passwords for all active SSH sessions of Windows users who are using Xshell. It “officially” supports Xshell Version 3, build 0288, Version 4, build 0127, Version 5, build 0497, and Version 5, build 0537. The documentation for BothanSpy states that it is risky to use the implant against certain versions of Xshell, and that it does not conduct a version check. If public key authentication is utilized, BothanSpy will intercept and exfiltrate the filename of the private SSH key and the key password. Xshell is a proprietary SSH and Telnet client, and also functions as a terminal emulator. It is produced by NetSarang Computer, Inc. and was first released in 2002. The BothanSpy implant is installed as an extension for Shellterm 3. The stolen data can be sent to a server that is controlled by the CIA, thereby avoiding saving any data onto the victim’s hard drive. Stolen data can also be stored on a victim’s computer in an encrypted file, and be exfiltrated at a later date by other means.
Previously, WikiLeaks published documents which exposed the CIA’s ability to gain remote access to computers running Windows by using the Athena and Hera malware. The CIA had worked with a private corporation known as Siege Technologies to develop the Athena and Hera malware for Windows operating systems. In late June, WikiLeaks published documents on the CIA’s ELSA program. ELSA is malware which impacts Windows users who are using WiFi and enables the CIA to track someone using geo-location by monitoring ESS identifiers, WiFi signal strength, and MAC addresses.
Gyrfalcon is an implant that consists of two binaries that allow the CIA to hack OpenSSH on Linux operating systems. It is unclear if Gyrfalcon impacts all Linux operating systems, but the documentation for the implant states that it can target users of Ubuntu, Debian, CentOS, Suse, and Red Hat. It allows the CIA to intercept and exfiltrate usernames and passwords of active SSH sessions. The implant also has the ability to intercept some or all of the traffic from an OpenSSH session. The data that is collected is then compressed and stored in an encrypted file on the victim’s computer and exfiltrated at a later time. Gyrfalcon is installed using the CIA’s JQC/KitV rootkit, and effects both 32bit and 64bit versions of Linux.
In late June WikiLeaks released documents on the CIA’s OutlawCountry program which targets Linux operating systems. OutlawCountry enables the CIA to redirect the entire outbound traffic of a victim’s computer. It allows the CIA to both exfiltrate and infiltrate data onto a victim’s computer. OutlawCountry uses a kernel module that the CIA can install through shell access on the victim’s computer. The CIA malware then installs a hidden Netfilter table. The hidden Netfilter table allows rules to be made using the iptables command. These rules will supersede any pre existing rules on the victim’s computer and administrator can only discover it if they know the table name. OutlawCountry creates an obscure table name. The CIA relies on other exploits and backdoors to infect victims with OutlawCountry. Version 1.0 of OutlawCountry is limited to infecting only certain Linux kernel modules such as the 64bit versions of CentOS and Red Hat 6.
The new documents detailing BothanSpy and Gyrfalcon marks the 15th release in the Vault 7 series of CIA leaks. WikiLeaks began publishing its Vault 7 series of CIA documents in March. They have been regularly releasing new documents every few weeks. More CIA leaks are expected to be published.