VAULT 7 | 'BothanSpy' and 'Gyrfalcon'- Implants That Steal SHH Credentials From Windows And Linux

in wikileaks •  7 years ago 

WL.-file-header.jpg

 

Today WikiLeaks published further CIA documents from their Vault 7 series. The documents outline 2 computer implant projects named BothanSpy and Gyrfalcon. Both projects are designed to intercept and exfiltrate SSH credentials but each work on different operating systems and use different attack vectors.

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.[1] The best known example application is for remote login to computer systems by users.

 

BothanSpy - Wikileaks

  • Windows based implant that steals user credentials for all active SSH sessions by exploiting SSH client program Xshell.

Xshell is a commercial SSH, Telnet client and Terminal Emulator by NetSarang Computer, Inc.

  • Installed as a Shellterm 3.x extension on the target machine.

  • Credentials stolen are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used.

  • Exfiltrate stolen credentials straight to a CIA operated command and control server so the implant never touches the disk on the target system.

Bothan.png

 
 

Gyrfalcon - Wikileaks

  • Implant that targets the OpenSSH client on Linux platforms (Centos, Debian, Rhel, Suse, Ubuntu).

  • The implant can not only steal user credentials of active SSH sessions. It is also capable however of collecting full or partial OpenSSH session traffic.

V .png


If information collected by these methods cannot be sent back to the a CIA control server then both implants are able to store the information in encrypted files for later collection.

Interestingly the name used for these implants is from the Star wars rebel alliance.

Bothan spy.png

Source



FORTIFIED

Steemit | Gab

THANK YOU FOR READING

- If You Would Like To Help Me Make More Great Original Content Please Consider Upvoting and Re-Steeming -

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

really great post thanks a lot for sharing and keep on posting ;)

Thank you. No problem.

thanks for the summary, really useful. They are really just infringing on everything we have now. There's a strong need to really protect what little privacy we have left

Yes. Assume everything is compromised and work back from there.

It's crazy what the CIA is able to do now. It's kind of cool that we can now see news on this in this alternative media of sorts. I never would have known. Also it's technically over my head, so thanks for explaining it somewhat.

Interesting

Great post. Thank you for the contribution.
Reshared @phibetaiota

Imgur

Peace and love to you as always.
Thanks.

Congratulations @fortified! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

  ·  7 years ago Reveal Comment