CIA Hacking Tool Released

Monday, June 19, 2017 @ 03:06 PM gHale

There is a tool used by the Central Intelligence Agency (CIA) to hack routers and access points, according to a WikiLeaks report.

CherryBlossom is a tool that can monitor a target’s Internet activity and deliver software exploits via wireless networking devices. WikiLeaks said the tool ended up developed and implemented by the CIA with the help of a U.S.-based nonprofit research center called Stanford Research Institute (SRI International).

Grid Attack: Understand ‘What We Will See Tomorrow’
Ukraine Attack: An Insider’s Perspective
ICS Malware Linked to Grid Attack
Attack Group Targets Ukraine

CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), according to WikiLeaks.

These devices are the ideal spot for “Man-In-The-Middle” attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users, according to the WikiLeaks report. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user.

The leaked documents found the tool has been under development since 2006 and at it worked on 200 device models from more than 20 vendors, including 3Com, Accton, Cisco, Ambit, AMIT, Asus, Apple, Breezecom, D-Link, Gemtek, Global Sun, Linksys, Orinoco, Planet Tec, Senao, US Robotics and Z-Com.

The main component of CherryBlossom is Flytrap. This implant can end up delivered through several methods, according to WikiLeaks. One method involves a tool called Claymore, which allows users to remotely deliver a firmware update containing the implant.

The implant can also go out via the targeted device’s firmware upgrade functionality, a method that requires knowledge of the administrator password and wireless security credentials. Flytrap can also deploy using a specialized wireless upgrade package that works on some devices that don’t allow wireless firmware updates, and via physical access to the targeted router – typically via the supply chain.

Once the implant is in place, it communicates with a command and control (C&C) server called CherryTree. Flytrap is controlled via a web-based user interface named CherryWeb.

Users can instruct the implant to harvest email addresses, VoIP numbers and chat usernames, copy network traffic, redirect the browser, proxy the victim’s network connection, and execute other applications.

Leave a Reply

You must be logged in to post a comment.