ICYMI > Highrise + BothanSpy More CIA Listening Posts

Highrise

13 July, 2017

Today, July 13th 2017, WikiLeaks publishes documents from the Highrise project of the CIA. HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field ("targets") and the listening post (LP) by proxying "incoming" and "outgoing" SMS messages to an internet LP.

Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.

Source > https://wikileaks.org/vault7/#Highrise 

 

 

 

Vault 7 Leaks : CIA Android Hacking Tool “HighRise” Steals Data From Compromised Android Phones via SMS – WikiLeaks

BALAJI N - July 13, 2017

WikiLeaks Revealed a CIA Secret Document of  Android Mobile Hacking Tool called “HighRise” steal the victims Android smartphones data and send to CIA Control server using SMS messages for communication between Victims and CIA Controlled listener posts.

WikiLeaks Revealed Few days before Another CIA Cyber Weapons called “BothanSpy” and “Gyrfalcon” steals the SSH Credentials from both Windows and Linux Platform.

Read more > https://gbhackers.com/vault-7-leaks-cia-android-hacking-tool-highrise-steals-data-from-compromised-android-phones-via-sms-WikiLeaks/ 

Highrise is a Malicious Android Application Developed by CIA for mobile devices running Android 4.0 to 4.3 with Redirection Function for SMS messaging. And it acts as an SMS proxy for communication between implants and listening posts.

This Application separates the targets and listening port by an act as a proxy and incoming SMS Messages received by HighRise via the Internet and  Send “outgoing” SMS messages via the HighRise host to CIA  listener.
HighRise Provide Highly Encrypted communication channels between Highrise filed operator (targeted victims) and listener posts over TLS/SSL secured internet communications.

 

 

BothanSpy

6 July, 2017

Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors.

 

 

BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine.

Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu).

The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

Links to Leaked Docs can be found on this page link

 

 

MORE >> Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux operating systems using different attack vectors.
Dubbed BothanSpy, implant for Microsoft Windows Xshell client, and Gyrfalcon, targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.Since March, the whistleblowing group has published 16 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following:

• OutlawCountry – An alleged CIA project that allowed it to hack and remotely spy on computers running the Linux operating systems.
• ELSA – Alleged CIA malware that tracks geo-location of targeted computers and laptops running the Microsoft Windows operating system.
• Brutal Kangaroo – A tool suite for Microsoft's Windows used by the spying agency to target closed networks or air-gapped computers within an organisation or enterprise without requiring any direct access.
• Cherry Blossom – An agency's framework used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
• Pandemic – A CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
• Athena – An agency's spyware framework that has been developed to take full control of the infected Windows machines remotely, and works for every version of Microsoft's Windows operating systems, from XP to Windows 10.
• AfterMidnight and Assassin – Two CIA malware frameworks for the Windows platform that has been designed to monitor activities on the infected remote host computer and execute malicious actions.
• Archimedes – Man-in-the-middle attack tool allegedly developed by the CIA to target computers inside a Local Area Network (LAN).
• Scribbles – Software reportedly designed to embed 'web beacons' into confidential documents, allowing the agency to track insiders and whistleblowers.
• Grasshopper – Framework that allowed the CIA hackers to easily create their custom malware for breaking into Microsoft's Windows OS and bypassing antivirus protection.
• Marble – Source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
• Dark Matter – Hacking exploits the spying agency designed to target iOS and Mac systems.
• Weeping Angel – Spying tool used by the CIA hackers to infiltrate smart TVs, transforming them into covert microphones.
• Year Zero – Alleged CIA hacking exploits for popular software and hardware.

 

How CIA Agents Covertly Steal Data From Hacked Smartphones (Without Internet)

2017-07-13T04:40:00-11:00Thursday, July 13, 2017

WikiLeaks has today published the 16th batch of its ongoing Vault 7 leak, this time instead of revealing new malware or hacking tool, the whistleblower organisation has unveiled how CIA operatives stealthy collect and forward stolen data from compromised smartphones.
Previously we have reported about several CIA hacking tools, malware and implants used by the agency to remotely infiltrate and steal data from the targeted systems or smartphones.
However, this time neither Wikileaks nor the leaked CIA manual clearly explains how the agency operatives were using this tool.

Source: http://thehackernews.com/2017/07/cia-smartphone-hacking-tool.html

". . . But, since we have been covering every CIA leak from the very first day, we have understood a possible scenario and have illustrated how this newly revealed tool was being used.
Explained: How CIA Highrise Project Works

In general, the malware uses the internet connection to send stolen data after compromising a machine to the attacker-controlled server (listening posts), but in the case of smartphones, malware has an alternative way to send stolen data to the attackers i.e. via SMS.
But for collecting stolen data via SMS, one has to deal with a major issue – to sort and analyse bulk messages received from multiple targeted devices.
To solve this issue, the CIA created a simple Android application, dubbed Highrise, which works as an SMS proxy between the compromised devices and the listening post server.
"There are a number of IOC tools that use SMS messages for communication and HighRise is a SMS proxy that provides greater separation between devices in the field ("targets") and the listening post" by proxying ""incoming" and "outgoing" SMS messages to an internet LP," the leaked CIA manual reads.

What I understood after reading the manual is that CIA operatives need to install an application called "TideCheck" on their Android devices, which are set to receive all the stolen data via SMS from the compromised devices. . . "

Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux operating systems using different attack vectors.
Dubbed BothanSpy — implant for Microsoft Windows Xshell client, and Gyrfalcon — targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.
Since March, the whistleblowing group has published 16 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

• OutlawCountry – An alleged CIA project that allowed it to hack and remotely spy on computers running the Linux operating systems.
• ELSA – Alleged CIA malware that tracks geo-location of targeted computers and laptops running the Microsoft Windows operating system.
• Brutal Kangaroo – A tool suite for Microsoft's Windows used by the spying agency to target closed networks or air-gapped computers within an organisation or enterprise without requiring any direct access.
• Cherry Blossom – An agency's framework used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
• Pandemic – A CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
• Athena – An agency's spyware framework that has been developed to take full control of the infected Windows machines remotely, and works for every version of Microsoft's Windows operating systems, from XP to Windows 10.
• AfterMidnight and Assassin – Two CIA malware frameworks for the Windows platform that has been designed to monitor activities on the infected remote host computer and execute malicious actions.
• Archimedes – Man-in-the-middle attack tool allegedly developed by the CIA to target computers inside a Local Area Network (LAN).
• Scribbles – Software reportedly designed to embed 'web beacons' into confidential documents, allowing the agency to track insiders and whistleblowers.
• Grasshopper – Framework that allowed the CIA hackers to easily create their custom malware for breaking into Microsoft's Windows OS and bypassing antivirus protection.
• Marble – Source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
• Dark Matter – Hacking exploits the spying agency designed to target iOS and Mac systems.
• Weeping Angel – Spying tool used by the CIA hackers to infiltrate smart TVs, transforming them into covert microphones.
• Year Zero – Alleged CIA hacking exploits for popular software and hardware.