Batu69 Posted June 15, 2017 Share Posted June 15, 2017 After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series that supposedly contains CIA-made hacking tools the organization claims it received from hackers and agency insiders. Today's dump includes the documentation for a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models. The tool is by far one of the most sophisticated CIA malware frameworks in the CIA's possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim's network. CherryBlossom installed via tainted firmware updates The most complex part of using CherryBlossom is by far deploying the tool on a target's routers. This can be done by a field operative, or remotely using a router flaw that allows CIA operators to install new firmware on the targeted device. Internally, CherryBlossom is made up of different components, each with a very precise role: FlyTrap - beacon (compromised firmware) that runs on compromised deviceCherryTree - command and control server where FlyTrap devices reportCherryWeb - web-based admin panel running on CherryTreeMission - a set of tasks sent by the C&C server to infected devices According to the CherryBlossom manual, CIA operators can send "missions" to infected devices from the CherryTree C&C server via the CherryWeb panel. Mission types vary wildly, which speaks volumes about the tool's versatility. For example, missions can: ▻ snoop on the target's Internet traffic ▻ sniff traffic and execute various actions based on predefined triggers (URLs, usernames, email, MAC addresses, etc.) ▻ redirect target's Internet traffic through other servers/proxies ▻ create a VPN tunnel from operator to the target's internal network ▻ alert operators when the target becomes active ▻ scan the target's local network CherryBlossom supports over 200 router models According to the CIA docs, FlyTraps can be installed on both WiFi routers and access points. There is a separate document that lists over 200 router models that CherryBlossom can target, most of which are older models. This 24-page document is not dated, but the rest of the CherryBlossom manuals are — between 2006 and 2012. You'll find a list of all WiFi equipment vendors that were included in this document at the bottom of this article. For the full vendor-series list, please refer to the original WikiLeaks document here. In addition, French security researcher X0rz noticed a small detail that might help investigators track down CherryBlossom installations. According to the tool's installation guide, the default URL for the CherryWeb control panel is is "https://CherryTree-ip-address/CherryWeb/" (e.g.: https://10.10.10.10/CherryWeb/). Scanning the Internet for CherryWeb web folders will reveal how many CherryBlossom installations are currently deployed online. Tool co-developed with US nonprofit? WikiLeaks claims the CIA co-developed CherryBlossom together with a US nonprofit named Stanford Research Institute (SRI International), but SRI's name only appears in one document — the manual for a tool named Sundew, a Linux-based wireless scanner used to identify the make and model of wireless devices. It is unclear at this moment what was SRI's role. In May, WikiLeaks published documents revealing that US cyber-security company Siege Technologies had helped the CIA develop a tool called Athena, a versatile implant (CIA term for "malware"). Unlike the Shadow Brokers, who dumped the actual hacking tools they claim to have stolen from the NSA, WikiLeaks only published the CherryBlossom documentation, without dumping the actual tool. You can read our previous WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks Vault 7 dumps: ᗙ Weeping Angel - tool to hack Samsung smart TVs ᗙ Fine Dining - a collection of fake, malware-laced apps ᗙ Grasshopper - a builder for Windows malware ᗙ DarkSeaSkies - tools for hacking iPhones and Macs ᗙ Scribble - beaconing system for Office documents ᗙ Archimedes - a tool for performing MitM attacks ᗙ AfterMidnight and Assassin - malware frameworks for Windows ᗙ Athena - a malware framework co-developed with a US company ᗙ Pandemic - a tool for replacing legitimate files with malware List of WiFi router/AP vendors included in the CherryBlossom docs: 3Com Accton Aironet/Cisco Allied Telesyn Ambit AMIT, Inc Apple Asustek Co Belkin Breezecom Cameo D-Link Gemtek Global Sun Linksys Motorola Orinoco Planet Tec Senao US Robotics Z-Com Article source Link to comment Share on other sites More sharing options...
edwardecl Posted June 16, 2017 Share Posted June 16, 2017 And this is why I don't use a router directly connected to the internet. Link to comment Share on other sites More sharing options...
UnknownOne Posted June 16, 2017 Share Posted June 16, 2017 all this crap is old, it's 2017 not 2010 they probably do much better now... Link to comment Share on other sites More sharing options...
Akaneharuka Posted June 16, 2017 Share Posted June 16, 2017 If this think get hack and leak over the internet. Many people will happy again. ( Last alert 2010 ? ) old news ? Link to comment Share on other sites More sharing options...
straycat19 Posted June 16, 2017 Share Posted June 16, 2017 Back in the days of the Linksys WRT54G and GL routers, ours were impossible to hack, even by the CIA, because we ran custom firmware on them that secured them. Those were our favorite routers because there was custom firmware for them like DDWRT and Tomato. This allowed more control over the systems and created hard, hacker proof routers. Matter of fact I gave away a pickup truck full of these routers last summer that were new and still in their factory sealed boxes that I had been keeping in storage for I don't know what. They were still great routers when combined with the custom firmware, they just didn't have the bells and whistles (and wireless range) that newer routers have. Link to comment Share on other sites More sharing options...
edwardecl Posted June 16, 2017 Share Posted June 16, 2017 9 hours ago, straycat19 said: Back in the days of the Linksys WRT54G and GL routers, ours were impossible to hack, even by the CIA, because we ran custom firmware on them that secured them. Those were our favorite routers because there was custom firmware for them like DDWRT and Tomato. This allowed more control over the systems and created hard, hacker proof routers. Matter of fact I gave away a pickup truck full of these routers last summer that were new and still in their factory sealed boxes that I had been keeping in storage for I don't know what. They were still great routers when combined with the custom firmware, they just didn't have the bells and whistles (and wireless range) that newer routers have. You're putting a lot of trust in open source community projects, how do you know a NSA operative didn't write parts of the code? Link to comment Share on other sites More sharing options...
Holmes Posted June 17, 2017 Share Posted June 17, 2017 There is no routers that are impossible to hack. Link to comment Share on other sites More sharing options...
jsday187 Posted June 18, 2017 Share Posted June 18, 2017 On 6/16/2017 at 11:18 PM, edwardecl said: You're putting a lot of trust in open source community projects, how do you know a NSA operative didn't write parts of the code? How do you know a NSA operative didn't write ALL of your closed-source software's code? A: Because you can't review it. B: Because you probably can't read code anyways. You put your trust in closed-source code? Because a "reputable" company is behind it? Many people would (often due to cognitive dissonance) consider the US Federal Government, and by extension the NSA, to be a reputable "company" so-to-speak. Code can be written by the most evil, malicious person alive (hell let's just call it ISIS-C) but as long as there is a person who can read it and, more importantly, the ability to read it in the first place (eg. open-source) then the malicious nature of any line of code can be noticed so that others may be warned about it. Link to comment Share on other sites More sharing options...
tao Posted June 18, 2017 Share Posted June 18, 2017 Again, while it’s clear that the CherryBlossom design targeted the following list of routers, it is not clear which have been successfully compromised. 3Com: 3CRWE454A72, 3CRWX120695A, 3CRWX275075A, 3CRTRV10075, 3CRWE41196, 3CRWE454G72, 3CRWE53172, 3CRWE554G72T, 3CRWE554G72TU, 3CRWE675075, 3CRWE725075A-US, 3CRWE754G72-A, 3CRWE754G72-B, 3CRWE825075A-US, 3CRWE875075A-US, 3CRWE91096A, 3CRWE91096A, 3CRWE920G73-US, 3CRWEASY96A, 3CRWEASY96A, 3CRWEASYG73-U, 3CRWX440095A Accton: WA3101, WA4101, WA5101, WA5201, WA6101, WA6102, WA6102X Aironet/Cisco: Aironet 1310 Outdoor Access Point /Bridge, Aironet 350 Series Wireless Bridge, 1300 Series Outdoor Access Point/Bridge, Aironet 1200 Series a/b/g Access Point, Aironet 1310 Outdoor Access Point/Bridge, Aironet 350 Series, Aironet 350 Series AP, Cisco Aironet 1400 Series Wireless Bridge, Cisco Aironet 1400 Series Wireless Bridge Allied Telesyn: AT-WA1004G, AT-WA7500, AT-WL2411 Ambit: (No models specified) AMIT, Inc: WIS418, WQS418, WUC128 ANI Communications: (No models specified) Apple: AirPort Express Asustek Co: WL-160g, WL-300, WL-300g, WL-330, WL-330g, WL-500b, WL-500g Belkin: F5D7230-4 Breezecom: AP-10, AP-10D, BU-DS.11, BU-DS.11D, DS.5800 Base Unit, RB-DS.11, RB-DS.11D, SA-10, SA-10D, SA-40, SA-40D, WB-10, WB-10D Cameo: WLB-2006_2007, WLB-2203/2204, WLG-2002/2003, WLG-2204/2205 D-Link: AP Manager or D-View SNMP management module?, DCS-2100+, DCS-3220G, DCS-5300G, DCS-5300W, DI-514, DI-524, DI-624, DI-714P+, DI-774, DI-784, DI-824VUP, DP-311P, DP-311U, DPG-2000W, DP-G310, DP-G321, DSM-320, DVC-1100, DWL-1000AP+, DWL-120, DWL-1700AP, DWL-1750, DWL-2100AP, DWL-2200AP, DWL-7000AP, DWL-7100AP, DWL-800AP+, DWL-810+, DWL-G700AP, DWL-G730AP, DWL-G800AP, DWL-G810, DWL-G820 Epigram: (No models specified) Gemtek: WADB-100G, WHAPC-100GE 11G, WHRTC-100GW, WX-1500, WX-1590, WX-1600, WX-1688, WX-2214, WX-2501, WX-5520A, WX-5520G, WX-5525G, WX-5525R, WX-5541, WX-5545, WX-5551, WX-5555, WX-5800, WX-5801, WX-5803 Global Sun: CM054RT, WL AP 2454 NM0, WL AP 2454 QA0, WL AP 2454 QA3, WL MU 2454 13I0, WL RT 2454 NM0, WL RT 2554 QA0, WL UD 2454 13I0 Hsing Tech: (No models specified) Linksys: BEFW11S4, WAP11, WAP51AB, WAP54G, WAP55AG, WCG200, WET54G, WET54GS5, WGA11B, WGA54G, WMA11B, WMLS11B, WPG12, WPG54G, WPS11, WPS54GU2, WRE54G, WRT54G, WRT54GP2, WRT54GS, WRT55AG, WRV54G, WVC11B, WVC54G Motorola: WR850G Orinoco: AP-2000 Access Point, AP-2500 Access Point, AP-4000 Tri-Mode Access Point, AP-600 Access Point, Orinoco AP-700, Tsunami MP.11, Tsunami QuickBridge 11, Tsunami QuickBridge 20, Tsunami QuickBridge 60 Planet Tec: WAP-1963A, WAP-4030, WRT-413, WAP-1963, WAP-1966, WAP-4000, WAP-4050, WAP-5000, WAP-5100, WL-U356, WRT-403, WRT-410 RPT Int: (No models specified) Senao: 5GHz/2.4GHz Dual Band Wireless Access Point, Aries2, Dual Band Wireless Access Point, Long Range Wireless Dongle, Long Range Wireless Outdoor Client Bridge, NL-2511AP PRO PLUS, NL2511SR Plus, NL2511SR Plus(A), NL-2611AP3 PLUS, NL-3054CB3 PLUS, Outdoor Wireless Access Point/Router, Outdoor Wireless Bridge, SL2511SR Plus, Wireless 11g Broadband Router, Wireless Multi-Client Bridge/Access Point US Robotics: USR5420, USR5430, USR5450, USR8054 Z-Com: XG-1100, XG-2000, XG-3020, XG-580, XG-580Plus, XG-581, XG-582, XI-1450, XI-1500, XI-1510 Within the CherryBlossom propaganda, there are also reports that appear to target seven explicit routers for use with “Flytrap.” Flytrap is a tool CherryBlossom uses to “beacon over the Internet to a Command & Control server pointed to as the CherryTree,” according to WikiLeaks. < Here > Link to comment Share on other sites More sharing options...
straycat19 Posted June 19, 2017 Share Posted June 19, 2017 On 6/16/2017 at 6:18 PM, edwardecl said: You're putting a lot of trust in open source community projects, how do you know a NSA operative didn't write parts of the code? Check and verify. Before you use any open source software either you have the skill to check and verify the code or you hire people who do. On 6/17/2017 at 2:17 AM, Holmes said: There is no routers that are impossible to hack. There are routers that cannot be hacked. You may not be aware of them but they exist. Take a look at the comment below. On 6/18/2017 at 7:49 AM, adi said: Linksys: BEFW11S4, WAP11, WAP51AB, WAP54G, WAP55AG, WCG200, WET54G, WET54GS5, WGA11B, WGA54G, WMA11B, WMLS11B, WPG12, WPG54G, WPS11, WPS54GU2, WRE54G, WRT54G, WRT54GP2, WRT54GS, WRT55AG, WRV54G, WVC11B, WVC54G If you pay careful attention to the list there is one glaring omission from this family of Linksys routers, that is the WRT54GL, the Linux version. It wasn't targeted because it was impossible to hack if you didn't have physical access to it. It also wasn't used by a lot everyday users because it used Linux and most people don't understand that operating system, so the minute they saw it was Linux they avoided it. Sometimes I wish I had kept a couple of them but my wife always complains that I have too much computer 'junk' around the house, at which time I remind her she has a desktop, laptop, netbook, 2 Nexus tablets, 4 iPod Touch devices, and a phone. Link to comment Share on other sites More sharing options...
Holmes Posted June 19, 2017 Share Posted June 19, 2017 I actually stand corrected a friend of mine who I havent talked to in a long time jamie who is a very talented programmer and a genius told me he looked at the old zoomtown modems and told me they are virtually unhackable told me the only way to get into it is special cable hooked up to it. I was given a WRTfiftyfourGL modem by my brother and something happened and I can fix the problem I have just been lazy and I know all about ddwrt and tomato. I take it the old zoomtown modems were virtually unhackable because you couldnt manage them from the web if Im not mistaken you can manage the WRT54GL from the web and that makes them hackable (then again I have never messed with DDWRT or tomato firmware before). Im going to try DDWRT with the one modem to fix it. For your information there are not routers that cannot be hacked because you can hack the WRT54GL if you have physical access to it. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.