Thursday, March 28, 2024

Vault 7 Leaks : CIA Hacking Tools “BothanSpy” and “Gyrfalcon” Steals SSH Credentials From Windows and Linux Computers – WikiLeaks

WikiLeaks Revealed Another CIA Cyber Weapons called “BothanSpy” and “Gyrfalcon” steals the SSH Credentials from both Windows and Linux Platform and both tools are performing in Different OS Platform and Different Attack vector.

SSH (Secure Shell) Protocol is used for Communicate Network services securely from unsecured channel Especially for user Perform Remote Login and The standard TCP port 22 has been assigned for contacting SSH servers.

An implant BothanSpy Targets Windows Platform SSH client program Xshell and it Steals User Credentials for all active Sessions enabled Windows PC.

These Stolen Credentials will be either username and password, password-authenticated SSH sessions or username, Filename of SSH key and password if public key authentication is used

BothanSpy finally exfiltration the stolen credentials to a CIA-controlled server or else save it in an encrypted file and later it exfiltration to the CIA Controlled Server.

An Implant Gyrfalcon Targets the Linux Platforms(centos,debian,rhel,suse,ubuntu) OpenSSH client.

This Tool has some advance functions that can not only steal user credentials of active SSH sessions but is also capable of collecting full or partial OpenSSH session traffic.

BothanSpy – Steals SSH Credentials from Windows

BothanSpy Only Targeting Windows Platform and Steals user credentials for all active SSH sessions and SSH client program Xshell.

According to CIA Document, BothanSpy will exfiltrate the stolen credentials through the Fire and Collect (F&C) channel and out to disk on the attacker-side.

Since BothanSpy Using F&C Channel, its never touches the Disk and it Writes Stolen Credentials to Disk that encrypted with AES.

BothanSpy.dll requires no configuration before it can be used and To setup the attack box touse F&C, copy the ice_handler.py script to the attack machine, and open a shell at this location.

Xshell should Run on the Targeting Windows Machine for BothanSpy perform itssuccessful Attack and it has active sessions, Otherwise, Xshell is not storing credential information in the location BothanSpy will search.

To Steal the Targets Credentials  from all running Xshell processes that have active SSH ,CIA Used Following Command

>BothanSpy BothanSpy.dll> Forget
folder on target>\<base file name> <passphrase>

BothanSpy Much concern with  Xshell versions and it failed to steal the credentials from some of the version (Xshell version 2 build 0910).

Important Consideration of  BothanSpy is, it will not perform version checking at any stage.

Gyrfalcon – Steals SSH Credentials from Linux

According to the CIA Document, Gyrfalcon is an SSH session “sharing” tool operates on outbound OpenSSH sessions from the target host which is Capable of log SSH sessions including Login credentials.

By Executing the command, a legitimate user on the remote host can able to access the logged credentials.

“It is configured in advance, executed on the remote host and left running. Sometime later, the operator returns and commands gyrfalcon to flush all of its collection to disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data”

Based on the Configuration with a list of target IP address/netmask combinations, this tool has the ability to track multiple outbound SSH sessions.

To Execute the Process, by added “a” Command and the Following information, operator promote into initiate the attack.

  • Specify an IPv4 or IPv6 address/netmask:
  •  Specify Collection Behavior 
  • Specify the path to executable file.

Document Intimate that, Gyrfalcon writes to a collection file in its working directory. The filename was specified in the config file. Gyrfalcon continues to stream data to this file during the course of its normal operation.

The operator must signal gyrfalcon to flush its collection buffers before the data can be collected.

All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed rootkit (JQC/KitV) on the target machine.

Previous CIA Leaked Tools by WikiLeaks

OutlawCountry – Vault 7 Leaks: CIA Malware “OutlawCountry” Controls Linux Machine and Redirect the Victims Traffic into CIA Controlled Machine – WikiLeaks

ELSA – Vault 7 Leaks: CIA Malware “ELSA” Tracking Geo-Location of WiFi Enabled Windows Computers – WikiLeaks

Brutal Kangaroo – CIA Hacking Tool “Brutal Kangaroo” Revealed to Hack Air-Gapped Networks by using USB Thumb Drives -WikiLeaks

CherryBlossom –  Wikileaks Revealed New CIA Wireless Hacking Tool “Cherry Blossom” Compromise Your Wireless Network Devices using MITM Attack

Pandemic –  New CIA Cyberweapon Malware “Pandemic” installed in Victims Machine and Replaced Target files where remote users use SMB to Download

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles