Today WikiLeaks published further CIA documents from their Vault 7 series. The documents outline 2 computer implant projects named BothanSpy and Gyrfalcon. Both projects are designed to intercept and exfiltrate SSH credentials but each work on different operating systems and use different attack vectors.
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.[1] The best known example application is for remote login to computer systems by users.
BothanSpy - Wikileaks
- Windows based implant that steals user credentials for all active SSH sessions by exploiting SSH client program Xshell.
Xshell is a commercial SSH, Telnet client and Terminal Emulator by NetSarang Computer, Inc.
Installed as a Shellterm 3.x extension on the target machine.
Credentials stolen are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used.
Exfiltrate stolen credentials straight to a CIA operated command and control server so the implant never touches the disk on the target system.
Gyrfalcon - Wikileaks
Implant that targets the OpenSSH client on Linux platforms (Centos, Debian, Rhel, Suse, Ubuntu).
The implant can not only steal user credentials of active SSH sessions. It is also capable however of collecting full or partial OpenSSH session traffic.
If information collected by these methods cannot be sent back to the a CIA control server then both implants are able to store the information in encrypted files for later collection.
Interestingly the name used for these implants is from the Star wars rebel alliance.
really great post thanks a lot for sharing and keep on posting ;)
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thank you. No problem.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
thanks for the summary, really useful. They are really just infringing on everything we have now. There's a strong need to really protect what little privacy we have left
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Yes. Assume everything is compromised and work back from there.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
It's crazy what the CIA is able to do now. It's kind of cool that we can now see news on this in this alternative media of sorts. I never would have known. Also it's technically over my head, so thanks for explaining it somewhat.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Interesting
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Great post. Thank you for the contribution.
Reshared @phibetaiota
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Peace and love to you as always.
Thanks.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Congratulations @fortified! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes received
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit