WikiLeaks
Today, July
6th 2017, WikiLeaks publishes documents from the BothanSpy and
Gyrfalcon projects of the CIA. The implants described in both
projects are designed to intercept and exfiltrate SSH credentials but
work on different operating systems with different attack vectors.
BothanSpy
is an implant that targets the SSH client program Xshell on the
Microsoft Windows platform and steals user credentials for all active
SSH sessions. These credentials are either username and password in
case of password-authenticated SSH sessions or username, filename of
private SSH key and key password if public key authentication is
used. BothanSpy can exfiltrate the stolen credentials to a
CIA-controlled server (so the implant never touches the disk on the
target system) or save it in an enrypted file for later exfiltration
by other means. BothanSpy is installed as a Shellterm 3.x
extension on the target machine.
Gyrfalcon
is an implant that targets the OpenSSH client on Linux platforms
(centos,debian,rhel,suse,ubuntu). The implant can not only steal user
credentials of active SSH sessions, but is also capable of collecting
full or partial OpenSSH session traffic. All collected information is
stored in an encrypted file for later exfiltration. It is
installed and configured by using a CIA-developed root kit (JQC/KitV)
on the target machine.
Documents:
Comments
Post a Comment