SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
2 Jun 2017

WikiLeaks says CIA’s “Pandemic” turns servers into infectious Patient Zero

WikiLeaks just published details of a purported CIA operation that turns Windows file servers into covert attack machines that surreptitiously infect computers of interest inside a targeted network.

"Pandemic," as the implant is codenamed, turns file servers into a secret carrier of whatever malware CIA operatives want to install, according to documents published Thursday by WikiLeaks.

When targeted computers attempt to access a file on the compromised server, Pandemic uses a clever bait-and-switch tactic to surreptitiously deliver malicious version of the requested file. The Trojan is then executed by the targeted computers. A user manual said Pandemic takes only 15 seconds to be installed. The documents didn't describe precisely how Pandemic would get installed on a file server. In a note accompanying Thursday's release, WikiLeaks officials wrote:

    Today, June 1st 2017, WikiLeaks publishes documents from the "Pandemic" project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network. "Pandemic" targets remote users by replacing application code on-the-fly with a Trojaned version if the program is retrieved from the infected machine. To obfuscate its activity, the original file on the file server remains unchanged; it is only modified/replaced while in transit from the pandemic file server before being executed on the computer of the remote user. The implant allows the replacement of up to 20 programs with a maximum size of 800 MB for a selected list of remote users (targets).

    As the name suggests, a single computer on a local network with shared drives that is infected with the "Pandemic" implant will act like a "Patient Zero" in the spread of a disease. It will infect remote computers if the user executes programs stored on the pandemic file server. Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets.

CIA officials have never confirmed or refuted the authenticity of the documents released in the "Vault 7" series, which WikiLeaks claims includes confidential documents it obtained when the CIA "lost control of the majority of its hacking arsenal." Outside experts on malware, however, have said the documents appear to be legitimate. Security company Symantec has also definitively tied malware described in one Vault 7 release to a known hacking operation that has been penetrating governments and private industries around the world for years.

“Very specific use”

Documentation that accompanied Thursday's release said that Pandemic is installed as a minifilter device driver. Jake Williams, a malware expert at Rendition InfoSec, told Ars that this means Pandemic would have to be signed by a valid digital certificate that was either bought or stolen by the operative, or it means the implant would have to be installed using an exploit that circumvented code-signing requirements. The driver-signing restriction and other technical details, he said, give the impression the tool isn't in widespread use.

"This code looks like it was developed with a very specific use in mind," he said. "Many larger organizations don't use Windows file servers to serve files. They use special built storage devices (network attached storage). My guess here would be that this was designed to target a relatively small organization."

Williams, who worked in the National Security Agency's elite Tailored Access Operations hacking group until 2013, said Thursday's release appeared to omit some of the documents operatives would need to use the Pandemic implant. "If you handed me this tool, I don't have enough information to make it go," he said. "There's more documentation than this. It's anyone's guess as to why it wasn't released."

The Vault 7 documents are a serious blow to the US intelligence community and its failed efforts to keep advanced software exploits confidential. Still, they aren't as sensitive as a separate trove of NSA hacking tools published over the past nine months by a mysterious group calling itself the Shadow Brokers.

Unlike the Vault 7 materials, the latter series of leaks includes all of the underlying exploit code, giving anyone the ability to wage potent attacks that were once the sole province of the world's most sophisticated hacking operation. NSA attack tools, most of which are designed to work remotely on a wide range of computers, are generally much more advanced than the CIA counterparts, which usually are used in the field by agents who already have some level of access to targeted computers or networks. Like previous Vault 7 releases, today's leak is a critical blow to US intelligence interests. But it's nowhere near as grave as the Shadow Brokers leaks.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
information leaks WikiLeaks CIA
Source:
Ars Technica
1961
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015