CyberNews404 - Nearly two months after releasing details of the 23 CIA hacking tool projects under the Vault 7 series, WikiLeaks is now announcing a new series of Vault 8 that will reveal the source code and information on the CIA's back-end infrastructure.
Not just announcements, but the whistleblower organization has also published the first batch of the Vault 8 series, publishing Project Hive source code and development logs - a significant back-end component that the CIA uses to control malware secretly.
In April this year, WikiLeaks disclosed brief information about Project Hive, revealing that the project is an advanced command-and-control server (malware control system) that communicates with malware to send commands to perform specific tasks on target and receive completed information exfiltrated from the target machine.
Project Hive is an all-in-one multi-user system that can be used by some CIA operators to control some remote malware implants used in different operations.
Project Hive Infrastructure has been specifically designed to prevent attribution, which includes fraudulent websites facing the public following multi-stage communication through Virtual Private Network (VPN).
"Using Hive even if an implant is found on the target computer, connecting it with the CIA is hard to do just by looking at malware communications with other servers on the internet," WikiLeaks said.
As shown in the diagram, malware implants directly communicate with fake sites, running on commercial VPS (Virtual Private Server), which looks plain when opened directly into a web browser.
However, in the background, after authentication, malware implants can communicate with a web server (hosting a fake site), which then forwards malware-related traffic to a hidden "CIA" server called 'Blot' over a secure VPN connection.
The Blot server then forwards the traffic to the management gateway of an implant operator called 'Honeycomb'.
To avoid detection by network administrators, malware implants use fake digital certificates for Kaspersky Labs.
"Digital certificates for implant authentication are generated by CIA's that mimic existing entities," WikiLeaks said.
"The three examples included in the source code create a fake certificate for the Kaspersky Laboratory, Moscow firebrand anti-virus company that is pretending to be signed by Thawte Premium Server CA, Cape Town."
WikiLeaks has released the source code for Project Hive that is now available to anyone, including investigative journalists and forensic experts, to download and explore its functionality.
The source code published in the Vault 8 series only contains software designed to run on servers controlled by the CIA, while WikiLeaks ensures that the organization will not release zero-day or similar security vulnerabilities that other people can abuse.
![[Learning Module] Metasploit The Penetration Tester's Guide : Basic Absolute For Penetration Testing](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgIGcys0kl5v0lguuoTfjDFY5pdnrH_-ZKRVMSCfvaZXodh3I3Y9Ketrvqw41ekC79J1tTzJ7k6zTOlRrGgh22Q4_3csCi_FPJ9_a3NV7R9q6zhKBV-mGj8NxY2wIU7FE0Gf2sdlkx95A/s72-c/Penetration-Tester-Guide-CyberNews404.PNG)
No comments:
Post a Comment