WikiLeaks
Today, June
22nd 2017, WikiLeaks publishes documents from the Brutal Kangaroo
project of the CIA. Brutal Kangaroo is a tool suite for Microsoft
Windows that targets closed networks by air gap jumping using
thumbdrives. Brutal Kangaroo components create a custom covert
network within the target closed network and providing functionality
for executing surveys, directory listings, and arbitrary executables.
The
documents describe how a CIA operation can infiltrate a closed
network (or a single air-gapped computer) within an organization or
enterprise without direct access. It first infects a
Internet-connected computer within the organization (referred to as
"primary host") and installs the BrutalKangaroo malware on
it. When a user is using the primary host and inserts a USB stick
into it, the thumbdrive itself is infected with a separate malware.
If this thumbdrive is used to copy data between the closed network
and the LAN/WAN, the user will sooner or later plug the USB disk into
a computer on the closed network. By browsing the USB drive with
Windows Explorer on such a protected computer, it also gets infected
with exfiltration/survey malware. If multiple computers on the
closed network are under CIA control, they form a covert network to
coordinate tasks and data exchange. Although not explicitly stated in
the documents, this method of compromising closed networks is very
similar to how Stuxnet worked.
The Brutal
Kangaroo project consists of the following components: Drifting
Deadline is the thumbdrive infection tool, Shattered Assurance is a
server tool that handles automated infection of thumbdrives (as the
primary mode of propagation for the Brutal Kangaroo suite), Broken
Promise is the Brutal Kangaroo postprocessor (to evaluate collected
information) and Shadow is the primary persistence mechanism (a stage
2 tool that is distributed across a closed network and acts as a
covert command-and-control network; once multiple Shadow instances
are installed and share drives, tasking and payloads can be sent
back-and-forth).
The primary
execution vector used by infected thumbdrives is a vulnerability in
the Microsoft Windows operating system that can be exploited by
hand-crafted link files that load and execute programs (DLLs) without
user interaction. Older versions of the tool suite used a mechanism
called EZCheese that was a 0-day exploit until March 2015; newer
versions seem use a similar, but yet unknown link file vulnerability
(Lachesis/RiverJack) related to the library-ms functionality of the
operating system.
Links,
documents:
Comments
Post a Comment