Home News CIA can Hack SSH Sessions on Windows/Linux running on Xshell

CIA can Hack SSH Sessions on Windows/Linux running on Xshell

by Harikrishna Mekala

Yesterday, On July 6th, 2017, WikiLeaks issues documents from the BothanSpy and Gyrfalcon plans of the CIA. The fixes described in both projects are designed to intercept and exfiltrate SSH credentials but run on different operating systems with different attack vectors.

BothanSpy is a root that targets the SSH client program Xshell on the Microsoft Windows platform and takes user credentials for all active SSH sessions. These credentials are either username and password in a cause of password-authenticated SSH sessions or username, the filename of private SSH key and key password if public key authentication is handled. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the embed code never touches the disk on the target node) or save it in an encrypted file for the following exfiltration by other means. BothanSpy is established as a Shell terms 3.x extension on the target machine.

Gyrfalcon is an embed that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The embed code can not only steal user credentials of existing SSH sessions but is also able of collecting full or partial OpenSSH session traffic. All received information is stored in an encrypted file for later exfiltration. It is established and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

Take your time to comment on this article.

You may also like