The Hacker News — Cyber Security, Hacking, Technology News

Wikileaks has published a new batch of the Vault 7 leak, detailing a man-in-the-middle (MitM) attack tool allegedly created by the United States Central Intelligence Agency (CIA) to target local networks.

Since March, WikiLeaks has published thousands of documents and other secret tools that the whistleblower group claims came from the CIA.

This latest batch is the 7th release in the whistleblowing organization's 'Vault 7' series.

Dubbed Archimedes, the newly released CIA tool, dumped on Friday, purportedly used to attack computers inside a Local Area Network (LAN).

According to the leaked documents, this MitM tool was previously named 'Fulcrum' but later was renamed to 'Archimedes' with several improvements on the previous version, like providing a way to "gracefully shutting down the tool on demand," and adding "support for a new HTTP injection method based on using a hidden iFrame."

The leaked documents describe Archimedes as a tool that lets users redirect LAN traffic from a targeted computer through a malware-infected computer controlled by the CIA before the traffic is passed on to the gateway, which is known as man-in-the-middle (MitM) attack.

The tool in itself is very simple without any extraordinary capabilities, as there are many MitM tools available on the Internet that anyone can be download and use it to target users on the local network.

Rendition Infosec founder Jake Williams also pointed out that the tool is not even originally developed by the CIA, rather appears to be a repackaged version of Ettercap – an open source toolkit for MitM attacks.

Williams also noted that the potential CIA targets could even use the leaked information to see whether their computers had been targeted by the agency.

Last week, WikiLeaks dumped source code for a more interesting CIA tool known as "Scribbles," a piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.

Since March the Whistleblowing website has published 7 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

• "Year Zero" – dumped CIA hacking exploits for popular hardware and software.
• "Weeping Angel" – spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
• "Dark Matter" – focused on hacking exploits the agency designed to target iPhones and Macs.
• "Marble" – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
• "Grasshopper" – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.

Here's some bad news for Android users again.

Nearly 3 Million Android devices worldwide are vulnerable to man-in-the-middle (MITM) attacks that could allow attackers to remotely execute arbitrary code with root privileges, turning over full control of the devices to hackers.

According to a new report from security rating firm BitSight, the issue is due to a vulnerability in the insecure implementation of the OTA (Over-the-Air) update mechanism used by certain low-cost Android devices, including BLU Studio G from US-based Best Buy.

Backdoor/Rootkit Comes Pre-installed

The vulnerable OTA mechanism, which is associated with Chinese mobile firm Ragentek Group, contains a hidden binary — resides as /system/bin/debugs — that runs with root privileges and communicates over unencrypted channels with three hosts.

According to the researchers, this privileged binary not only exposes user-specific information to MITM attackers but also acts as a rootkit, potentially allowing attackers to remotely execute arbitrary commands on affected devices as a privileged user.

"Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit," the CERT advisory associated with this vulnerability warned on Thursday.

Similar to the flaw discovered in Android devices running firmware from Shanghai ADUPS Technology, the newly discovered flaw (designated CVE-2016-6564) also resides in the firmware developed by a Chinese company.

While the AdUps firmware was caught stealing user and device information, the Ragentek firmware neither encrypt the communications sent and received to smartphones nor rely on code-signing to validate legitimate apps.

This blunder could allow a remote attacker to extract personal information from an affected device, remotely wiping the whole device, and even make it possible to gain access to other systems on a corporate network and steal sensitive data.

Affected Android Devices

The vulnerability has been found in multiple smartphone handsets from BLU Products, along with over a dozen devices from other vendors. The list of affected Android handsets includes:

• BLU Studio G
• BLU Studio G Plus
• BLU Studio 6.0 HD
• BLU Studio X
• BLU Studio X Plus
• BLU Studio C HD
• Infinix Hot X507
• Infinix Hot 2 X510
• Infinix Zero X506
• Infinix Zero 2 X509
• DOOGEE Voyager 2 DG310
• LEAGOO Lead 5
• LEAGOO Lead 6
• LEAGOO Lead 3i
• LEAGOO Lead 2S
• LEAGOO Alfa 6
• IKU Colorful K45i
• Beeline Pro 2
• XOLO Cube 5.0

While analyzing the flaw, AnubisNetworks found that the device, a BLU Studio G, attempted to contact three pre-configured Internet domains, two of which remained unregistered despite being hardwired into the Ragentek firmware that introduced the bug.

"This OTA binary was distributed with a set of domains preconfigured in the software. Only one of these domains was registered at the time of the discovery of this issue," BitSight's subsidiary company Anubis Networks says in its report published Thursday. 

"If an adversary had noticed this, and registered these two domains, they would’ve instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a man-in-the-middle attack."

After the discovery, AnubisNetworks researchers registered the addresses and now controls those two extraneous domains to this day in an attempt to prevent such attacks from occurring in the future.

Around 3 Million Devices contain Dangerous Rootkit

Still, the impact was significant. The researchers were able to exploit the backdoor in the BLU Studio G phone, which allowed them to install a file in the location that's reserved for apps with all-powerful system privileges.


However, by observing the data smartphones sent when connecting to the two domains registered by BitSight, the researchers have cataloged 55 known device models that are affected.

"We have observed over 2.8 Million distinct devices, across roughly 55 reported device models, which have checked into our sinkholes since we registered the extraneous domains," the report reads. 

"In some cases, we have not been [able] to translate the provided device model into a reference to the real-world device."

So far, only BLU Products has issued a software update to address the vulnerability, though BitSight researchers haven't yet tested the patch to analyze its effectiveness. However, the remaining Android devices might still be affected.

For more technical details about the vulnerability, you can head on to full report published by BitSight's AnubisNetworks.

This is the second case in a single week when researchers have warned you of Android smartphones coming pre-installed with backdoors that not only send massive amounts of your personal data to Chinese servers, but also allow hackers to take control of your device.

“If users ignored the security warning and clicked through to the Apple site and entered their username and password, this information has now been compromised by the Chinese authorities. Many Apple customers use iCloud to store their personal information, including iMessages, photos, and contacts,” GreatFire said in a blog post. “This may also somehow be related again to images and videos of the Hong Kong protests being shared on the mainland.”

“This may also somehow be related again to images and videos of the Hong Kong protests being shared on the mainland,” Greatfire.org wrote in its blog post.

“Once the attacker has extracted a user’s credentials, they can reuse the user’s credentials or session cookies to authenticate and forge the exact session,” reads the blog post.

• Email address
• Password
• Read and Sent Messages
• Connections
• “Who viewed my profile”

• Send invitations to connect
• Edit the user’s profile
• Edit job postings
• Manage company pages