Wikileaks Reveals CIA Malware that Hacks & Spy On Linux Computers

WikiLeaks has just published a new batch of the ongoing Vault 7 leak, this time detailing an alleged CIA project that allowed the agency to hack and remotely spy on computers running the Linux operating systems.

Dubbed OutlawCountry, the project allows the CIA hackers to redirect all outbound network traffic on the targeted computer to CIA controlled computer systems for exfiltrate and infiltrate data.

The OutlawCountry Linux hacking tool consists of a kernel module, which the CIA hackers load via shell access to the targeted system and create a hidden Netfilter table with an obscure name on a target Linux user.

"The new table allows certain rules to be created using the "iptables" command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the Operator removes the kernel module, the new table is also removed," CIA's leaked user manual reads.

Although the installation and persistence method of the OutlawCountry tool is not described in detail in the document, it seems like the CIA hackers rely on the available CIA exploits and backdoors to inject the kernel module into a targeted Linux operating system.

However, there are some limitations to using the tool, such as the kernel modules only work with compatible Linux kernels.

"OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain," WikiLeaks says.

Previous Vault 7 CIA Leaks

Last week, WikiLeaks dumped a classified CIA malware that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.

Dubbed ELSA, the malware captures the IDs of nearby public hotspots and then matches them with the global database of public Wi-Fi hotspots' locations.

Since March, the whistleblowing group has published 14 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

• Brutal Kangaroo – a CIA tool suite for Microsoft Windows that targets closed networks or air-gapped computers within an enterprise or organization without requiring any direct access.
• Cherry Blossom – a CIA's framework, generally a remotely controllable firmware-based implant, used for monitoring the Internet activity of the target systems by exploiting flaws in WiFi devices.
• Pandemic – a CIA's project that allowed the spying agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
• Athena – an agency's spyware framework that has been designed to take full control over the infected Windows machines remotely, and works with every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
• AfterMidnight and Assassin – Two apparent CIA's malware frameworks for the Microsoft Windows platform that is meant to monitor and report back actions on the infected remote host computer and execute malicious code.
• Archimedes – A man-in-the-middle attack tool allegedly built by the spying agency to target computers inside a Local Area Network (LAN).
• Scribbles – A piece of software reportedly designed to embed 'web beacons' into confidential documents, allowing the CIA hackers to track insiders and whistleblowers.
• Grasshopper – A framework that allowed the CIA to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
• Marble – The source code of a secret anti-forensic framework, primarily an obfuscator or a packer used by the spying agency to hide the actual source of its malware.
• Dark Matter – Hacking exploits the agency designed and used to target iPhones and Mac machines.
• Weeping Angel – Spying tool used by the CIA to infiltrate smart TV's, transforming them into covert microphones in target's pocket.
• Year Zero – CIA hacking exploits for popular hardware and software.

Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry

Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack.

The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.

According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours last month.
Apart from this, many victims have also informed that Petya ransomware has also infected their patch systems.

"Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That's why patched systems can get hit." Mikko Hypponen confirms, Chief Research Officer at F-Secure.

Petya is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one.

Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Petya ransomware replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.

Don't Pay Ransom, You Wouldn’t Get Your Files Back 

Infected users are advised not to pay the ransom because hackers behind Petya ransomware can’t get your emails anymore.

Posteo, the German email provider, has suspended the email address i.e. wowsmith123456@posteo.net, which was behind used by the criminals to communicate with victims after getting the ransom to send the decryption keys.

At the time of writing, 23 victims have paid in Bitcoin to '1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX' address for decrypting their files infected by Petya, which total roughly $6775.

Petya! Petya! Another Worldwide Ransomware Attack

Screenshots of the latest Petya infection, shared on Twitter, shows that the ransomware displays a text, demanding $300 worth of Bitcoins. Here's what the text read:

"If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

According to a recent VirusTotal scan, currently, only 16 out of 61 anti-virus services are successfully detecting the Petya ransomware malware.

Petya Ransomware Hits Banks, Telecom, Businesses & Power Companies

Supermarket in Kharkiv, East Ukraine

Petya ransomware has already infected — Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, "Kyivenergo" and "Ukrenergo," in past few hours.

"We were attacked. Two hours ago, we had to turn off all our computers. We are waiting for permission from Ukraine's Security Service (SBU) to switch them back on," Kyivenergo's press service said.

There are reports from several banks, including National Bank of Ukraine (NBU) and Oschadbank, as well as other companies confirming they have been hit by the Petya ransomware attacks.

Maersk, an international logistics company, has also confirmed on Twitter that the latest Petya ransomware attacks have shut down its IT systems at multiple locations and business units.

"We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently asserting the situation. The safety of our employees, our operations and customers' business is our top priority. We will update when we have more information," the company said.

The ransomware also impacts multiple workstations at Ukrainian branch's mining company Evraz.

The most severe damages reported by Ukrainian businesses also include compromised systems at Ukraine's local metro and Kiev's Boryspil Airport.

Three Ukrainian telecommunication operators, Kyivstar, LifeCell, Ukrtelecom, are also affected in the latest Petya attack.

How Petya Ransomware Spreading So Fast?

Symantec, the cyber security company, has also confirmed that Petya ransomware is exploiting SMBv1 EternalBlue exploit, just like WannaCry, and taking advantage of unpatched Windows machines.

"Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)," security researcher using Twitter handle ‏HackerFantastic tweeted.

EternalBlue is a Windows SMB exploit leaked by the infamous hacking group Shadow Brokers in its April data dump, who claimed to have stolen it from the US intelligence agency NSA, along with other Windows exploits.

Microsoft has since patched the vulnerability for all versions of Windows operating systems, but many users remain vulnerable, and a string of malware variants are exploiting the flaw to deliver ransomware and mine cryptocurrency.

Just three days ago, we reported about the latest WannaCry attack that hit Honda Motor Company and around 55 speed and traffic light cameras in Japan and Australia, respectively.

Well, it is quite surprising that even after knowing about the WannaCry issue for quite a decent amount of time, big corporates and companies have not yet implemented proper security measures to defend against such threat.

How to Protect Yourself from Ransomware Attacks

What to do immediately? Go and apply those goddamn patches against EternalBlue (MS17-010) and disable the unsecured, 30-year-old SMBv1 file-sharing protocol on your Windows systems and servers.

Since Petya Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers, you are also advised to disable WMIC (Windows Management Instrumentation Command-line).

Prevent Infection & Petya Kill-Switch

Researcher finds Petya ransomware encrypt systems after rebooting the computer. So if your system is infected with Petya ransomware and it tries to restart, just do not power it back on.

"If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine." ‏HackerFantastic tweeted. "Use a LiveCD or external machine to recover files"

PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. "C:\Windows\perfc" to prevent ransomware infection.

To safeguard against any ransomware infection, you should always be suspicious of unwanted files and documents sent over an email and should never click on links inside them unless verifying the source.

To always have a tight grip on your valuable data, keep a good back-up routine in place that makes their copies to an external storage device that isn't always connected to your PC.

Moreover, make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date. Most importantly, always browse the Internet safely.

Russia warns Pentagon about the Consequences if they Kaspersky

Any “unilateral administrative sanctions” by the U.S. may provoke a response from Russia, whose administration systems use “a large proportion of American software and hardware solutions in the IT sphere, also in very sensitive areas,” Nikiforov told in an interview on Friday. He refused to identify U.S. software products that may be moved by any complementary sanctions.

A country’s use of “foreign software isn’t fundamentally about data risks as it undergoes screening and certification systems” against possible secret code that may threaten the security of computer networks, he said.

Any “unilateral administrative sanctions” by the U.S. may provoke a response from Russia, whose administration systems use “a large proportion of American software and hardware solutions in the IT sphere, also in very sensitive areas,” Nikiforov told in an interview on Friday. He refused to identify U.S. software products that may be moved by any complementary sanctions.

A country’s use of “foreign software isn’t fundamentally about data risks as it undergoes screening and certification systems” against possible secret code that may threaten the security of computer networks, he said.

Amid political debate in the U.S. over computer hacking and alleged Kremlin interference in the 2016 presidential elections, the Senate Armed Services Committee has suggested banning the Pentagon “from utilizing software platforms developed by Kaspersky Lab due to statements that the Moscow-based organization might be vulnerable to Russian government authority.” Kaspersky Lab said it doesn’t assist with any government in cyber-espionage, the Interfax news service reported Thursday.

FBI agents questioned at least a dozen employees of Kaspersky Lab in the U.S. this week as a role of a counterintelligence inquiry, according to NBC News, which published that the company has “long been of interest” to the governments. There’s no sign the records were linked to a U.S. investigation into alleged Russian meddling in the elections, the broadcaster reported.

The Five Eyes wants a Strong Encryption for its citizens

While the difficulties of modern-day security are real, such proposals threaten the uprightness and security of general purpose interfaces tools relied upon by international commerce, the free press, politics, human rights advocates, and individuals throughout the world,” the statement said.

“Last year, many of us participated several hundred leading civil society groups, companies, and prominent individuals asking on world leaders to protect the development of strong cryptography.

“This protection requires an unequivocal denial of laws, policies, or other mandates or practices covering secret agreements with companies that limit access to or weaken encryption and other secure communications instruments and technologies.

“Today, we repeat that call with renewed urgency. We ask you to preserve the security of your citizens, your economies, and your sovereignty by promoting the development and use of secure connections tools and technologies, by denying policies that would prevent or weaken the use of strong encryption, and by urging other world heads to do the same.”

The group announced that efforts to create backdoors in encrypted applications or software denoted short-sighted and counter-productive.

They said that if where were restrictions to access of encryption outcomes in Five Eyes countries, anybody who needed such tools would get them in other countries or on the black market.

“We urge you, as heads in the global community, to recognize that encryption is a crucial tool for general use. It is neither the problem nor the enabler of crime or terrorism. As a technology, encryption makes far more good than harm,” the statement said.

“We, therefore ask Y’all to prioritize the protection and security of individuals by working to increase the integrity of communications and systems. As a primary step, we ask that you continue any obligation on this topic in a multi-stakeholder forum that encourages public participation and affirms the protection of human rights.”