Wikileaks Vault7 files recently revealed vast information on CIA techniques of hacking. It uncovered that a malware is used that infect the PCs which are “air-gapped”, the computers that are not connected to the internet, using USB sticks. On Thursday, Julian Assange’s organization exposed hacks that exploit vulnerabilities that are same as notorious Stuxnet attacks, behind which is believed to be US and Israel. These aimed at infecting plants in Iran that also utilized thumb drives in order to spread in the critical systems.
The “Brutal Kangaroo” leaks revealed by Wikileaks contain a range of manuals supposedly from the information Operations Unit of CIA. On February 2016 one user guide described the way Brutal Kangaroo suite included “Drifting Deadline”., a malware that infects the computer first and any plugged-in thumb drive. As soon as the USB stick moved over and got connected to a air-gapped computer, the infection started spreading.
In the last step by using software named as Shadow, it would “create a custom covert network within the target closed network,” via which CIA would be able to carry out the future surveillance.
The most unusual aspect of the attack was a vulnerability that started running as soon as the user goes through the files on the thumb drive in Windows Explorer. This means the opening of a file was not necessary and the computer got affected while simply looking through the files. This was explained by an independent researcher named x0rz. This particular aspect of the Brutal Kangaroo was similar to the one abused by Stuxnet in which it was passed through the malicious. Ink files. The independent researcher x0rz also said that CIA used this malware to target the disconnected computers used by the industrial systems and terrorist groups.
Microsoft and Wikileaks alliance?
Surprisingly, Microsoft just patched a vulnerability which infects that processing of .ink files in Windows, and in order to exploit it needed a specially-crafted shortcut icon that would process by the target PC. This sounds similar to the CIA attack.
It was stated by the tech titan that the vulnerability had earlier been exploited as well. Yet, it was unknown who disclosed the bug which led x0rz and others to wonder whether Wikileaks had correctly told Microsoft of the problem before the Brutal Kangaroo was released today, in spite of having arguments with the tech providers on how would it work with them to patch. X0rz deducted that the “Okabi” exploit named in the user guide was the one that was patched and that it was Wikileaks that disclosed it to Microsoft. In 2015, an older exploit that made part of the Brutal Kangaroo Arsenal named as EZCheese was patched before it got replaced.
Hacker House co-founder Mathew Hickey stated, “This new Wikileaks leak confirms that [the .lnk vulnerability] is most likely tied to the CIA’s air-gap framework… It was definitely a related flaw,”
A Microsoft spokesperson said, “We’re currently looking into this and have nothing to share at this time,”
At the time of publication, the CIA had not returned the request. Whether the files of Wikileaks are legitimate or not, has also not been confirmed nor denied by CIA. Yet it did criticize past releases of the Assange group that contained iPhone, Mac, Windows and Wi-Fi hacks. A spokesperson said in March, “The American public should be deeply troubled by any Wikileaks disclosure designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries,”
These attacks on the air-gapped computers have long been known through rarely seen outside of the academic world. Last year in April, it was shown that how subtle changes in smart light bulb intensity could reveal data to an outside observer. Also, in February an attack was shown that had LED lights relay data in a similar way, however to a drone floating outside an office.