WikiLeaks Doc Dump Reveals CIA Tools For Hacking Air-Gapped PCs (bleepingcomputer.com) 74
An anonymous reader writes: "WikiLeaks dumped today the manuals of several hacking utilities part of Brutal Kangaroo, a CIA malware toolkit for hacking into air-gapped (offline) networks using tainted USB thumb drives," reports Bleeping Computer. The CIA uses these tools as part of a very complex attack process, that allows CIA operatives to infect offline, air-gapped networks. The first stage of these attacks start with the infection of a "primary host," an internet-connected computer at a targeted company. Malware on this primary host automatically infects all USB thumb drives inserted into the machine. If this thumb drive is connected to computers on an air-gapped network, a second malware is planted on these devices. This malware is so advanced, that it can even create a network of hacked air-gapped PCs that talk to each other and exchange commands. To infect the air-gapped computers, the CIA malware uses LNK (shortcut) files placed on the USB thumb drive. Once the user opens and views the content of the thumb drive in Windows Explorer, his air-gapped PC is infected without any other interaction.
Damn (Score:5, Interesting)
Once again, no love for macOS, Linux and BSD.
Re:Damn (Score:5, Funny)
Dude, RTFM. all you have to do is:
ls -l /dev/disk/by-path/ and find the stick's device. /tmp/usb /tmp/usb /tmp/usb ./ciamalware.sh
mkdir
mount [device node from first step]
cd
sudo
They do have Linux support. It's not that hard.
Re: (Score:2)
ROFL. Mod this guy up.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Leveraging stupidity (Score:5, Insightful)
If this thumb drive is connected to computers on an air-gapped network, a second malware is planted on these devices.
If you work at a company that has an air-gapped private network for security reasons and you actually do this, then you are a moron and deserve to be fired. I've worked for a defense contractor. We were all trained to not do stupid things like this; basic OPSEC.
Re: (Score:2)
How do you get AV updates onto said airgapped machine/network? When I was trying to set up a red network, one of our requirements (out of the DoD manual) was to have AV that was regularly updated.
Of course, back then, we didn't use USB.... we used CD-R (not CD-RW).
Re: (Score:1)
You used the safest solution - a CD or DVD. If malware were to try and install itself on a CD or DVD, the spin-up would be noticed. Keeping the OS on an image file that is stomped onto the OS partition every night is another way.
https://www.schneier.com/blog/archives/2013/10/air_gaps.html
Re: (Score:2)
What part "requirement from the DoD manuals" are you having a problem understanding?
Re: (Score:3)
Yeah... you're not describing an airgapped network.
Re: (Score:2)
OPSEC
Kinda like Manning walking in with a Lady Gaga CD, erasing it, and populating it with shit, and walking out.
Kinda like Snowden walking in and out.
Kinda like WikiLeaks getting hold of secret, well-guarded CIA stuff.
CaptainDork's 1st Corollary: "When it becomes digitized, it's in the public domain."
Re: (Score:3)
We were all trained to not do stupid things like this; basic OPSEC.
Yes, and yet we're all aware of hacks successfully targeting defense contractors, and Chinese war planes which strikingly resemble next-generation American designs. I wonder how they got the plans?
I'm sure RSA trained their employees not to do "stupid things like this" too, and yet they managed to get thoroughly owned several years ago.
People do stupid things all the time - even people who've received proper training. Yes, they deserve to be fired... but at that point the damage is done.
Re: (Score:3)
I'm sure RSA trained their employees not to do "stupid things like this" too,
To be fair, the RSA attack had less to do with a user making a dumb mistake and more a case of poor architectural choices (critical data on the same network as a low-level user, insufficient network segmentation, and honestly, there should have been an airgap between the RSA key secrets and the HR person whose system was compromised, or the admin user's workstation that the attack escalated too.
All that having been said, it was a VERY sophisticated attack by a well funded actor, and likely would have occurr
Re: (Score:2)
A short conversation with management and staff will allow any stranger to use usb sticks as needed.
The other method is to place usb sticks to be found or swap the usb sticks of trusted staff.
If a company or government orders a lot of office supplies online from a trusted US brand? That shipment might be a be altered on the way.
Just don't call it 'shocking' please. (Score:1)
Cool but... (Score:2)
A word to the wise: (Score:5, Insightful)
Never create a weapon that you wouldn't want to fall into the hands of your worst enemy... because it will.
Re: (Score:3)
The politics of trusted staff.
The staging servers that interesting people finally noticed..
The use of plain text and no crypto so contractors can make profits working on gov networks.
Too many secrets is now too many contractors.
Re: So don't use windows explorer, use an alternat (Score:2)
Re: So don't use windows explorer, use an alterna (Score:2)
Re: So don't use windows explorer, use an alterna (Score:2)
Re: So don't use windows explorer, use an alternat (Score:1)
Midnight Commander [midnight-commander.org]might be a good alternative. It's not just GPL, it's an official GNU project. Windows binaries are available if you don't want to build it from source.
It's a clone of the classic Norton Commander.
Re: (Score:2)
I second Midnight Commander.
It's an amazing application. One of its best features is it looks and works the same on Windows, macOS, Linux, and *BSD. Once you learn it (which isn't hard at all -- it's pretty darn self evident), you've boosted your productivity in all of the aforementioned operating systems.
Bonus feature: No Microsoft OneDrive advertisements built into the application!
Re: (Score:2)
The question is then to risk a network detecting the data moment and blame "malware" with another nations code litter.
Or to walk, post the USB stick using some cover story.
Re: (Score:2)
Some other file manager instead of windows explorer might not trigger the exploit, assuming autoplay is disabled? Maybe?
If I'm forced to use Windows, I like to use Far Manager [farmanager.com]. It's a text mode file manager so I can stroke my neckbeard while I use it.
Told you (Score:1)
Next time, listen.
I blame the router and modem manufacturers for this, actually.
"Oh, what harm could ever come from releasing source code to the Russians, it's not like they would subvert the elections in all Western nations"
Sure.
oh, and you should totally trust your anti-virus security to Russian firms too.
The surprising thing is you've pretty much only realized the tools we designed a few decades ago, until we realized how deeply the Russians had burrowed into you.
Impressive (Score:2)
So they managed to create a network requiring no persistent connections? They should claim their 2 mil prize [slashdot.org]!
Just imagine (Score:2)
This shit needs to stop. Hopefully the NSA and whomever have figured out they aren't the smartest kids in the room and decide to make us all more secure.
Damn, meds are wearing off and I'm back to reality. Shit, real life really sucks ass.
I guess Wikileaks saw the Window$ core leak too (Score:2)