#OpChangeTheWorld2 🌎 #WikiLeaks BothanSpy&Gyrfalcon
July 6th 2017, WikiLeaks publishes documents from the #BothanSpy and #Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors.
#BothanSpy
These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy is an implant that targets the Xshell SSH client program on the Microsoft Windows platform and user credentials for all active SSH sessions. This credential is the user name and password in the case of SSH sessions authenticated by password or username, SSH private key file name and password, and authentication by Public key is used. BothanSpy can exfile the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the system) or save it to an enrytre file for later exfiltration Means.
#Gyrfalcon
Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos, debian, rhel, suse, ubuntu). The implant can not only steal credentials from users of active SSH sessions, but also be able to collect full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration.
😅 😉
Leaked Documents :
- BothanSpy 1.0
- Gyrfalcon 2.0 User's Guide
- Gyrfalcon 1.0 User's Manual
WikiLeaks #BothanSpy : https://wikileaks.org/vault7/#BothanSpy
@AnarchoPirate @Steemit