Javelin Networks

Edward Snowden was right about CIA hacking activities: they are going to lose control of their “weaponized gun” — and it’s going to be ugly.

On March 7th, 8,761 documents and files were leaked from the CIA to Wikileaks introducing the scope and direction of the CIA’s global covert hacking program, its malware arsenal, and dozens of “zero day” weaponized exploits against a wide range of U.S. and European company products: Apple iPhone, Google Android, Microsoft Windows, and even Samsung smart TVs, which are turned into covert microphones.

The Active Directory Perspective

I want to focus here on Microsoft Windows and Active Directory findings from this leak, which is relevant to 95% of organizations.

The process to compromise the Active Directory environment is usually:

Compromise one computer -> elevate privileges -> find credentials -> lateral movement -> find crown jewels -> exfilitrate data -> GAME OVER.

We are probably going to see more data in the next few weeks from this leak, but here is what we have found so far:

1) Bypassing Windows User Account Control (UAC):

Windows User Account Control (UAC) is a security feature created by Microsoft (since Windows Vista) that attempts to stop malware from running in Admin context. It’s not yet published if they have implemented the new technique to bypass UAC, or if they were using a known methodology such as DLL hijacking, but we definitely understand the motivation.

2) Install old versions of the .NET Framework:

Installing old versions of the .NET Framework opens more backdoors and vulnerabilities on Windows machines, making privilege escalation much easier.

3) PowerShell Execution Policy:

By default, Powershell scripts cannot run on a Windows machine, which is in place to prevent malicious code from executing easily. However, most organizations are using old versions of the .Net Framework (e.g. version 2.0, which is very popular), where it is very easy to change the default execution policy to “Unrestricted”, allowing scripts to run.

4) Image File Execution Options:

It was uncommon to find such non-evasive hacking techniques, such as IFEO, but this may be part of their philosophy to look and behave like an amateur to deter from the fact that the organization is inside the network.

5) WSUS — Windows Server Update Services:

WSUS is great target to manipulate files distribution inside the organization. With control over WSUS you can potentially send and execute any file to any machine.

6) Internet Explorer Credential Storage:

Internet explorer is a very easy target even for the latest new version of it, but because organizations have their legacy on-premise applications and some other reasons they are using it a lot.

A great way to leverage it from an attacker point of view is to extract credentials from its non-secure storage and move beyond that single end-point.

7) VMware vCenter SSO:
When it comes to virtualization on enterprise, VMware is the king, which makes it highly targeted.

When you integrate VMware product into Active Directory to achieve single sign-on, you create a powerful new group in the Active Directory—one that makes any member an admin for the VMware management suite. Controlling the VMware hypervisor means controlling the servers.

8) RickyBobby v4.x.x Framework:

RickyBobby 4.x is developed by IOC/EDG/AED/Operational Support Branch (OSB) as a lightweight implant for target computers running newer versions of Microsoft Windows and Windows Server. The RickyBobby implant enables COG operators to upload and download files and execute commands and executables on the target computer without detection as malicious software by personal security products.

Wrapping things up

This information is only collected from Part 1 of this massive leak; many more of the CIA’s hacking techniques will be exposed.

From what we have reviewed at this point, we didn’t see anything sophisticated, which indicates that attacks are not needing to be highly advanced or operationally sophisticated. Instead it demonstrates the tools used to penetrate and control an organization are the trusted applications and infrastructure management tools that will not set off any security detection alerts.

Specifically, the main access point to an organization is its Active Directory — the underlying layer for their entire network — which is highly exposed and vulnerable.

The Active Directory permits movement anywhere in the network, which is why the CIA, and other hackers, continue to target it as a primary means to carry out their attacks.

-Almog Ohayon, Chief Product and Co-founder @ Javelin-Networks

sources:

1) Bypassing Windows User Account Control (UAC):

https://wikileaks.org/ciav7p1/cms/page_14587654.html

2) Install old versions of the .NET Framework

https://wikileaks.org/ciav7p1/cms/page_13762919.html

3) PowerShell Execution Policy :

https://wikileaks.org/ciav7p1/cms/page_14588201.html

4) Image File Execution Options:

https://wikileaks.org/ciav7p1/cms/page_2621770.html

5) WSUS — Windows Server Update Services:

https://wikileaks.org/ciav7p1/cms/page_13762930.html