Wikileaks Vault-7 Publishes New CIA Exploit Tools BothanSpy And Gyrfalcon
The latest addition of Wikileaks Vault 7 of CIA tools is BothanSpy and Gyrfalcon, used for a remotely cyber attack on Windows and Linux systems to steal SSH Credentials.
BothanSpy is used for targeting on Windows computer system, whereas Gyrfalcon for Linux Machines. Gyrfalcon encrypts and stores the data into a file on Linux Computer system. The attacker must have knowledge of Linux/Unix commands and shells like sh, csh and bash.
In the documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors.
BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine.
Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.
Do you really think Linux System is secure?
Read Previous Leaks..