WikiLeaks has published a new batch of the ongoing Vault 7 Leak this time detailing a framework – which is being used by the CIA for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Dubbed “Cherry Blossom,” the framework was allegedly designed by the Central Intelligence Agency (CIA) with the help of Stanford Research Institute (SRI International), an American nonprofit research institute, as part of its ‘Cherry Bomb’ project.
Cherry Blossom is basically a remotely controllable firmware-based implant for wireless networking devices, including routers and wireless access points (APs), which exploits router vulnerabilities to gain unauthorized access and then replace firmware with custom Cherry Blossom firmware.
“An implanted device [called Flytrap] can then be used to monitor the internet activity of and deliver software exploits to targets of interest.” a leaked CIA manual reads.
“The wireless device itself is compromised by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection,” WikiLeaks says.
According to Wikileaks, CIA hackers use Cherry Blossom hacking tool to hijack wireless networking devices on the targeted networks and then perform man-in-the-middle attacks to monitor and manipulate the Internet traffic of connected users.
Once it takes full control on the wireless device, it reports back to CIA controlled command-and-control server referred as ‘CherryTree,’ from where it receives instructions and accordingly perform malicious tasks, which include:
- Monitoring network traffic to collect email addresses, chat user names, MAC addresses, and VoIP numbers
- Redirecting connected users to malicious websites
- Injecting malicious content into the data stream to fraudulently deliver malware and compromise the connected systems
- Setting up VPN tunnels to access clients connected to Flytrap’s WLAN/LAN for further exploitation
- Copying of the full network traffic of a targeted device
According to an installation guide, the CherryTree C&C server must be located in a secure sponsored facility and installed on Dell PowerEdge 1850 powered virtual servers, running Red Hat Fedora 9, with at least 4GB of RAM.
Cherry Blossom can exploit vulnerabilities in hundreds of Wi-Fi devices (full list here) manufactured by the following vendors:
Belkin, D-Link, Linksys, Aironet/Cisco, Apple AirPort Express, Allied Telesyn, Ambit, AMIT Inc, Accton, 3Com, Asustek Co, Breezecom, Cameo, Epigram, Gemtek, Global Sun, Hsing Tech, Orinoco, PLANET Technology, RPT Int, Senao, US Robotics and Z-Com.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped an alleged CIA project, dubbed Pandemic, that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
The tool is a persistent implant for Microsoft Windows machines that has been designed to infect networks of Windows computers through the Server Message Block (SMB) file sharing protocol by replacing application code on-the-fly with a trojanized version of the software.
Since March, the whistleblowing group has published 11 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:
- Athena – a CIA’s spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.
- AfterMidnight and Assassin – two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
- Archimedes – a man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
- Scribbles – a piece of software allegedly designed to embed ‘web beacons’ into confidential documents, allowing the spying agency to track insiders and whistleblowers.
- Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
- Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
- Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
- Weeping Angel – spying tool used by the agency to infiltrate smart TV’s, transforming them into covert microphones.
- Year Zero – dumped CIA hacking exploits for popular hardware and software.