Thursday, 22 June 2017

wikileaks-Brutal-Kangaroo-airgap-malware





WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a tool suite – which is being used by the CIA for Microsoft Windows that targets "closed networks by air gap jumping using thumb drives," mainly implemented in enterprises and critical infrastructures.

Air-gapped computers that are isolated from the Internet or other external networks are believed to be the most secure computers on the planet have become a regular target in recent years.

Dubbed Brutal Kangaroo (v1.2.1), the tool suit was allegedly designed by the Central Intelligence Agency (CIA) in year 2012 to infiltrate a closed network or air-gapped computer within an organization or enterprise without requiring any direct access.
The previous version of Brutal Kangaroo was named as EZCheese, which was exploiting a vulnerability that was zero-day until March 2015, though the newer version was using "unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system."

Here's How the Air-Gap Attack Works


Like most air-gapped malware techniques we reported on The Hacker News, this hacking tool first infects an Internet-connected computer within the target organization and then installs the Brutal Kangaroo malware on it.

Infecting USB Drive

Even if it's hard to reach an Internet-connected PC within the target organisation, they can infect a computer of one of the organisation's employees and then wait for the employee to insert the USB drive into his/her computer.
 


Now, as soon as a user (the employee of the organisation) inserts a USB stick into the infected computer, Shattered Assurance, a server tool infects the USB drive with a separate malware, called Drifting Deadline (also known as 'Emotional Simian' in the latest version).
The USB drive infects with the help of a flaw in the Microsoft Windows operating system that can be exploited by hand-crafted link files (.lnk) to load and execute programs (DLLs) without user interaction.

"The .lnk file(s) must be viewed in windows explorer, and the tool will be auto-executed without any further input." the manual says.

When the infected USB drive is used to share data with air-gapped computers, the malware spreads itself to those systems as well.

    "If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked," WikiLeaks said.

    "Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables," a leaked CIA manual reads.
The malware then starts collecting data from infected air-gapped computers (which utilizes Shadow, the primary persistence mechanism) covertly and a module within the Brutal Kangaroo suit, dubbed "Broken Promise," analyzes the data for juiceful information.

Previous Vault 7 CIA Leaks

Last week, WikiLeaks dumped an alleged CIA framework used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.

Dubbed "Cherry Blossom," the framework was basically a remotely controllable firmware-based implant for wireless networking devices, including routers and wireless access points (APs), which exploits router vulnerabilities to gain unauthorized access and then replace the firmware with custom Cherry Blossom firmware.

Since March, the whistleblowing group has published 12 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:


  •     Pandemic – a CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
  •     Athena – a spyware framework that has been designed to take full control over Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
  •     AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Windows platform that has been designed to monitor and report back activities of the infected remote host computer and execute malicious actions.
  •     Archimedes – Man-in-the-Middle attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
  •     Scribbles – Software reportedly designed to embed 'web beacons' into confidential files and documents, allowing the agency to track whistleblowers and insiders.
  •     Grasshopper – A framework which allowed the agency to easily create custom malware for breaking into Windows operating system and bypassing antivirus protection.
  •     Marble – The source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the spying agency to hide the actual source of its malware.
  •     Dark Matter – Revealed hacking exploits the CIA designed to target iPhones and Macs.
  •     Weeping Angel – A spying tool used by the CIA to infiltrate smart TV's and then transform them into covert microphones.
  •     Year Zero – Disclosed several CIA hacking exploits for popular hardware and software

The malware then starts collecting data from infected air-gapped computers (which utilizes Shadow, the primary persistence mechanism) covertly and a module within the Brutal Kangaroo suit, dubbed "Broken Promise," analyzes the data for juiceful information.

Previous Vault 7 CIA Leaks


Last week, WikiLeaks dumped an alleged CIA framework used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.

Dubbed "Cherry Blossom," the framework was basically a remotely controllable firmware-based implant for wireless networking devices, including routers and wireless access points (APs), which exploits router vulnerabilities to gain unauthorized access and then replace the firmware with custom Cherry Blossom firmware.

Since March, the whistleblowing group has published 12 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:


  • Pandemic – a CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
  • Athena – a spyware framework that has been designed to take full control over Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
  • AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Windows platform that has been designed to monitor and report back activities of the infected remote host computer and execute malicious actions.
  • Archimedes – Man-in-the-Middle attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
  • Scribbles – Software reportedly designed to embed 'web beacons' into confidential files and documents, allowing the agency to track whistleblowers and insiders.
  • Grasshopper – A framework which allowed the agency to easily create custom malware for breaking into Windows operating system and bypassing antivirus protection.
  • Marble – The source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the spying agency to hide the actual source of its malware.
  • Dark Matter – Revealed hacking exploits the CIA designed to target iPhones and Macs.
  • Weeping Angel – A spying tool used by the CIA to infiltrate smart TV's and then transform them into covert microphones.
  • Year Zero – Disclosed several CIA hacking exploits for popular hardware and software.


Even if it's hard to reach an Internet-connected PC within the target organisation, they can infect a computer of one of the organisation's employees and then wait for the employee to insert the USB drive into his/her computer.

Now, as soon as a user (the employee of the organisation) inserts a USB stick into the infected computer, Shattered Assurance, a server tool infects the USB drive with a separate malware, called Drifting Deadline (also known as 'Emotional Simian' in the latest version).
WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a tool suite – which is being used by the CIA for Microsoft Windows that targets "closed networks by air gap jumping using thumb drives," mainly implemented in enterprises and critical infrastructures.

Air-gapped computers that are isolated from the Internet or other external networks are believed to be the most secure computers on the planet have become a regular target in recent years.

Dubbed Brutal Kangaroo (v1.2.1), the tool suit was allegedly designed by the Central Intelligence Agency (CIA) in year 2012 to infiltrate a closed network or air-gapped computer within an organization or enterprise without requiring any direct access.

Wanna cry Ransom is Back Hits Honda & traffic cameras......

It's been over a month since the WannaCry ransomware caused chaos worldwide and people have started counting its name as 'the things of past,' but…

...WannaCry is not DEAD!

The self-spreading ransomware is still alive and is working absolutely fine.

The latest victims of WannaCry are Honda Motor Company and 55 speed and traffic light cameras in Australia.

The WannaCry ransomware shuts down hospitals, telecom providers, and many businesses worldwide, infecting over 300,000 Windows systems running SMBv1 in more than 150 countries within just 72 hours on 12th of May.
The worm was leveraging an NSA's Windows SMB exploit, dubbed EternalBlue, leaked by the infamous hacking group Shadow Brokers in its April data dump, along with other Windows exploits.

Honda Stops Production After WannaCry Hits its Computer


Honda Motor Company released a statement this week, saying the company was forced to halt its production for more than 24 hours at in one of its Japan-based factories after finding the WannaCry infections in its computer networks.

The automaker halted production of more than 1,000 at its Sayama plant, northwest of Tokyo, on Monday 19th June after it discovered that the ransomware had affected networks across Japan, North America, Europe, China, and other regions despite its efforts to secure systems in mid-May, according to a Wednesday report from Reuters.

While Honda did not say how WannaCry got into their networks 37 days after a researcher activated the kill switch, it's clear that the computers inside the Honda network were running unsupported versions of Windows OS or it did not install a highly critical patch released by Microsoft in March.

The Honda's Sayama plant, which produces the Accord sedan, Odyssey Minivan, Step Wagon compact multipurpose vehicle and more, produces around 1,000 vehicles per day.

Renault and Nissan were also infected by the WannaCry ransomware last month, which also forced them to temporarily stop their production at plants in Britain, India, Japan, France, and Romania.

WannaCry Hits 55 Traffic-Light and Speed Cameras in Australia

Another recent WannaCry victim was spotted in Australia when the Victoria Police confirmed that the ransomware infected a total of 55 red light cameras and speed cameras in Victoria via private camera operator Redflex.

The malware locked down critical files and demanded a ransom in return (WannaCry usually demands $300 to unlock files), according to the 3AW morning radio show.

    "A system patch has been applied, which prevents the spread of the virus," the officials told the show. "The Department is in the process of removing the [WannaCry] virus from the affected cameras. The remaining websites will be rectified in the next couple of days."

The authorities believed the infection was the result of a targeted cyber attack, rather than 'human error,' likely on the part of a camera technician, and that WannaCry got onboard via a USB drive.

    "Our advice at this stage is that a software virus has been detected however the camera system has not been compromised," the police said. "We will look into all incidents detected by the speed and red light cameras during the time in question as a matter of course. The integrity of the camera system has not been affected."

Well, it is quite surprising that even after knowing about the WannaCry issue for quite a decent amount of time, big companies have not yet implemented proper security measures to defend against the threat.

Ransomware has become an albatross around everyone's neck. Recently, a South Korean web hosting provider confirmed that the company had paid a record $1 Million ransom to hackers in return of its data following a ransomware attack over the weekend.

In cyberspace, Ignorance is not bliss. So, go and apply the goddamn patches and disable the unsecured, 30-year-old SMBv1 file-sharing protocol on your systems.
It's been over a month since the WannaCry ransomware caused chaos worldwide and people have started counting its name as 'the things of past,' but…
It's been over a month since the WannaCry ransomware caused chaos worldwide and people have started counting its name as 'the things of past,' but…
It's been over a month since the WannaCry ransomware caused chaos worldwide and people have started counting its name as 'the things of past,' but…
It's been over a month since the WannaCry ransomware caused chaos worldwide and people have started counting its name as 'the things of past,' but…
It's been over a month since the WannaCry ransomware caused chaos worldwide and people have started counting its name as 'the things of past,' but…