From https://thehackernews.com * Almost two months after releasing details of 23 different secret CIA hacking tool projects under Vault 7 series, Wikileaks today announced a new Vault 8 series that will reveal source codes and information about the backend infrastructure developed by the CIA hackers...the whistleblower organisation has also published its first batch of Vault 8 leak, releasing source code and development logs of Project Hive—a significant backend component the agency used to remotely control its malware covertly.
Blogger Note: This report is written by Swati Khandelwal
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.
The Super-Secret U.S. Spy Agency CIA said that it had “no comment on the authenticity of purported intelligence documents released by Wikileaks.”
In April this year, WikiLeaks disclosed a brief information about Project Hive, revealing that the project is an advanced command-and-control server (malware control system) that communicates with malware to send commands to execute specific tasks on the targets and receive exfiltrated information from the target.
*Blogger Note: Hacker News is a social news website focusing on computer science and entrepreneurship. It is run by Paul Graham's investment fund and startup incubator, Y Combinator
Here's how it works:
Hive is a multi-user all-in-one system that can be used by multiple CIA operators to remotely control multiple malware implants used in different operations.
Hive’s infrastructure has been specially designed to prevent attribution, which includes a public facing fake website following multi-stage communication over a Virtual Private Network (VPN).
"Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet," WikiLeaks says.As shown in the diagram, the malware implants directly communicate with a fake website, running over commercial VPS (Virtual Private Server), which looks innocent when opened directly into the web browser.
However, in the background, after authentication, the malware implant can communicate with the web server (hosting fake website), which then forwards malware-related traffic to a "hidden" CIA server called 'Blot' over a secure VPN connection.
The Blot server then forwards the traffic to an implant operator management gateway called'Honeycomb.'
In order to evade detection by the network administrators, the malware implants use fake digital certificates for Kaspersky Lab.
"Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities," WikiLeaks says. "The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town."
The whistleblowing organisation has released the source code for Project Hive which is now available for anyone, including investigative journalists and forensic experts, to download and dig into its functionalities.
The source code published in the Vault 8 series only contains software designed to run on servers controlled by the CIA, while WikiLeaks assures that the organisation will not release any zero-day or similar security vulnerabilities which could be abused by others. __________________________________________________________________________
WikiLeaks: CIA impersonated Kaspersky Labs as cover for malware operations
November 13, 2017
WikiLeaks, under its new Vault 8 series of released documents, has rolled out what it says is the source code to a previously noted CIA tool, called Hive, that is used to help hide espionage actions when the Agency implants malware.
WikiLeaks: CIA impersonated Kaspersky Labs as cover for malware operations
WikiLeaks, under its new Vault 8 series of released documents, has rolled out what it says is the source code to a previously noted CIA tool, called Hive, that is used to help hide espionage actions when the Agency implants malware.
Hive supposedly allows the CIA to covertly communicate with its software by making it hard or impossible to trace the malware back to the spy organisation by utilising a cover domain. Part of this, WikiLeaks said, is using fake digital certificates that impersonate other legitimate web groups, including Kaspersky Labs.
Kaspersky Labs CEO Eugene Kaspersky confirmed WikiLeaks statement.
Latest NSA breach "far exceeds" Edward Snowden leaks
"Deep Security Breach Cripples N.S.A.," says the stark headline atop today's N.Y. Times front page. "Mysterious Group Steals Powerful Hacking Weapons, Putting World in Danger ... A serial leak of the agency's cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide." Why it matters: The flood of digital secrets ... is raising profound questions (Multiple-Choice) 1. Have hackers and leakers made secrecy obsolete? 2. Has Russian intelligence simply outplayed the United States, penetrating the most closely guarded corners of its government? 3. None of the above ?
WikiLeaks began publishing the source code of alleged CIA hacking tools Thursday in a new series dubbed “Vault 8.” The source code, according to a press release from the anti-secrecy organization, is intended to “enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components.” “Source code published in this series contains software designed to run on servers controlled by the CIA,” WikiLeaks writes, stressing that the material does not contain 0-day or undisclosed vulnerabilities that could be utilized by others. . . “Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.”Details on Hive were first revealed last April as part of WikiLeaks’ release of CIA hacking tool documentation known as Vault 7. Mike Pompeo goes on to say, ". . .While the source code for Hive is unlikely to do little more than assist forensics analysts, the code for more powerful tools in Vault 7, if released, could potentially enable malicious attackers. . . " “Assange and his ilk make common cause with dictators today,” Pompeo said at the time.“Yes, they try unsuccessfully to cloak themselves and their actions in the language of liberty and privacy; in reality, however, they champion nothing but their own celebrity. Their currency is clickbait; their moral compass, nonexistent.” Although then-presidential candidate Donald Trump repeatedly praised WikiLeaks during his campaign, reports claimed last April that Trump’s Justice Department had prepared charges seeking the arrest of WikiLeaks founder Julian Assange. Link to original source > https://www.infowars.com/vault-8
_________________________________________________________________________________
From https://thehackernews.com * Almost two months after releasing details of 23 different secret CIA hacking tool projects under Vault 7 series, Wikileaks today announced a new Vault 8 series that will reveal source codes and information about the backend infrastructure developed by the CIA hackers...the whistleblower organisation has also published its first batch of Vault 8 leak, releasing source code and development logs of Project Hive—a significant backend component the agency used to remotely control its malware covertly.
In April this year, WikiLeaks disclosed a brief information about Project Hive, revealing that the project is an advanced command-and-control server (malware control system) that communicates with malware to send commands to execute specific tasks on the targets and receive exfiltrated information from the target. 
Hive is a multi-user all-in-one system that can be used by multiple CIA operators to remotely control multiple malware implants used in different operations.
"Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet," WikiLeaks says.As shown in the diagram, the malware implants directly communicate with a fake website, running over commercial VPS (Virtual Private Server), which looks innocent when opened directly into the web browser.
Details on Hive were first revealed last April as part of WikiLeaks’ release of CIA hacking tool documentation known as Vault 7. Mike Pompeo goes on to say, ". . .While the source code for Hive is unlikely to do little more than assist forensics analysts, the code for more powerful tools in Vault 7, if released, could potentially enable malicious attackers. . . " 
No comments:
Post a Comment