Wikileaks CIA Vault 7: July 2017 Releases
WikiLeaks releases four CIA malware spy programs: BothanSpy; Gyrfalcon; Highrise; UCL/Raytheon; and Imperial as part of its Vault 7 operation.
BothanSpy (Windowa) & Gyrfalcon (Linux)
On July 6, 2017 WikiLeaks published documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors.
BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either (a) username and password in case of password-authenticated SSH sessions or (b) username, filename of private SSH key and key password if public key authentication is used.
BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine.
Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.
July 13, 2017 WikiLeaks published documents from the Highrise project of the CIA. HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post (LP) by proxying “incoming” and “outgoing” SMS messages to an internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.
UCL / Raytheon
July 19, 2017 WikiLeaks published documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field.
Raytheon Blackbird Technologies acted as a kind of “technology scout” for the Remote Development Branch (RDB) of the CIA by analyzing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.
(S//NF) CSIT 15083 — HTTPBrowser
(S//NF) Symantec — Regin – Stealthy Surveillance
(S//NF) FireEye — HammerToss – Stealthy Tactics
July 27, 2017 WikiLeaks published documents from the Imperial project of the CIA. The Imperial project has three components: Achilles, Aeris and SeaPea.
Achilles is a capability that provides an operator the ability to Trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution.
Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support – all with TLS encrypted communications with mutual authentication. It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants.
SeaPea is an OS X Rootkit that provides stealth and tool launching capabilities. It hides files/directories, socket connections and/or processes. It runs on Mac OSX 10.6 and 10.7.
/Edited by NHN
We humbly seek your support and ask for your generosity in helping us to continue to report to you on news and information you’ll not be getting with the lamestream propaganda media. All our authors have a passion for getting their information out to the general public.
SHARE: To get the word out please copy the article URL to post and comment on your social media platforms. Citizen journalists like myself are under assault by the federal government for they passed anti-Free Speech and Censorship law in the NDAA bill that was signed into law in the dead of night on Christmas Eve, 2016 by Islam Emperor Obama. Free Speech is under attack and NDAA has legalized censorship by Google, Facebook, Twitter, YouTube, Vimeo and most internet platforms because all are globalists and leftists. The establishment republicans are just as dangerous as the democrats, for both are Tyrants! Near all internet hosts suppress and censors articles and videos that do not toe the leftist, globalist and totalitarian line.
COMMENTS: I disabled comments on my articles because the spam was obscene. Each article I wrote was getting around 500 spam comments daily. We have anti-spam software but these spammers spend tons of money to bypass. I guess the Google algorithm does not suppress or censor spam attacks, only prevents them from being seen on key word searches. This site and my articles are SEO optimized but to no avail when trying to out-maneuver the spammers and censor algorithms.
DONATIONS: I am not salaried or compensated for writing and I am fine with that for my passion is distribution of information. I am a Patriot and NewsHawk Network is also. They are a new media site that started in 2017 and I am honored to write for them. They have no income and we row the same boat Passion together. If you like my writing please contribute by going to DONATE. NHN has an income sharing program that is proportionately distributed to authors based upon their overall contribution. Please give as you are able. I have provided a PayPal link below.
REWARDS PROGRAM: We have a rewards program set up to reward all who wish to help us financially. Please visit us at Patreon.com/NHN for details.
Support us monthly on Patreon.com/NHN $1 minimum. Tier program of rewards
Support us with a one-time or annual contribution at DONATE. $12 MINIMUM
View us on Vid.me/newshawknetwork Alternative to YouTube, so far no censoring
FakeBook Alternative: http://Minds.com Join Minds.com; its FREE and unlike Facebook UNCENSORED
Twitter Alternative: http://Gab.ai/NHN Join Gab, its FREE and unlike Twitter UNCENSORED