Vault 7

[Innocent Warrior]

Promo for new German-Spanish film on the legal fight surrounding Assange (english subtitles) -

Hacking Justice

Source: https://youtube.com/watch?v=1AXj7JX3wSA

Published on May 19, 2017

Click here to register
http://www.docsonline.tv/world-premie...

When you're more than a journalist, you need more than a lawyer !

May 19th 2017, Swedish Prosecutor Marianne Ny drops charges against Julian Assange.

A victory for international legal team lead by Judge Garzon, over a four year endeavour documented by "Hacking Justice", unique film available on the topic with non-infringed image rights from all appearing parties.

Baltasar Garzon, 58, is an analogue man, barely speaks english, is bad with computers. But he plays a major global role within the digital world. He took upon coordinating the international legal teams preparing the upcoming defense of WikiLeaks founder Julian Assange. Garzon is one of the world’s leading authorities upholding the principle of Universal Jurisdiction, defending in this case freedom of press but also fundamental human rights. With a unique access, the film witnesses the struggle for the control of information, the growing influence of intelligence services, the lack of transparency, the role of the mass media and the difficult balance of individual rights and state security.

Awesome team and they don't get paid, a clip from the film of the legal team at work can be viewed here.

* * *

Podcast: WBAI Free Assange #5 -- interview with police corruption whistleblowers, Frank Serpico -

http://nuarchive.wbai.org/mp3/wbai_1...andyCrelof.mp3 …

wbai.org

[Hervé]

'Bigger than WannaCry': New malware employs 7 NSA exploits, Croatian expert warns

RT
Mon, 22 May 2017 15:43 UTC

© Thomas Samson / AFP

Seven cyber exploits purportedly stolen from the US National Security Agency (NSA) have been identified in 'EternalRocks', a new type of malware detected by a Croatian tech security advisor.

Similar to the WannaCry malware which struck hundreds of thousands of computers worldwide this month, EternalRocks apparently draws on NSA-identified network exploits EternalBlue, EternalChampion, EternalRoman, and EternalSynergy.

The worm utilizes DoublePulsar, Architouch and SMBtouch, a series of tools released in an apparent NSA leak by hacking group ShadowBrokers.

Miroslav Stampar‏ @stamparm

Info on (new) EternalRocks worm can be found on https://github.com/stamparm/EternalRocks/ …. Will keep it updated, along with @_jsoo_

5:43 AM - 18 May 2017 8 replies 145 retweets 140 likes

The virus's characteristics were identified by Miroslav Stampar, a Croatian security expert for the country's Computer Emergency Response Team (CERT). He is also listed as a Croatian chapter member of the Honeynet Project, a volunteer network for "security research."

Miroslav Stampar‏ @stamparm

Just captured 406ac1595991ea7ca97bc908a6538131 and 5c9f450f2488140c21b6a0bd37db6a40 in MS17-010 honeypot. MSIL/.NET #WannaCry copycat(s)


8:28 AM - 17 May 2017 5 replies 76 retweets 88 likes

In a breakdown published online, Stampar outlines how the "cyberweapon" downloads in two separate stages, with the second running 24 hours later to avoid detection.

"After about six to eight hours of analysis, I found how to provoke the second stage," said Stampar when contacted by RT.com. "I got kind of excited and scared as somebody had successfully, and professionally, packed all SMB exploits from ShadowBroker's dump.

"I predicted that something bigger than WannaCry is coming," he added.

Stampar explains that EternalRocks sits anonymously on the target device, but can be activated later for more malicious purposes: "It's sole purpose at this moment is propagation and waiting for further command and control updates. As I see it, it is a prelude," he said.

Miroslav Stampar‏ @stamparm

Conclusion: delayed downloader for https://ubgdgno5eswkhmpy[.]onion/updates/download?id=PC which seem to be a full scale cyber weapon

5:46 PM - 17 May 2017 1 reply 8 retweets 13 likes

Microsoft was forced to patch discontinued operating systems earlier this month after WannaCry exploited vulnerabilities in its software.

The patch came after more than 200,000 devices became infected with WannaCry, which encrypts computer files and demands victims to pay a ransom for their release. The wide-reaching ransomware blitz crippled parts of the UK National Health Service.

Last week, Quarkslab security advisor Adrien Guinet released information about a method for decrypting WannaCry. The 'WannaKey' tool was published to Github but only helps users with the Windows XP operating system.

[onawah]

That link doesn't work

Posted by Rachel (here)

Click here to register
http://www.docsonline.tv/world-premie...

It's:
http://www.docsonline.tv/world-premi...acking-justice

[Innocent Warrior]

Vault 7: Projects

RELEASE - Pandemic

Full statement on Pandemic from WikiLeaks -

1 June, 2017

Today, June 1st 2017, WikiLeaks publishes documents from the "Pandemic" project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network. "Pandemic" targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine. To obfuscate its activity, the original file on the file server remains unchanged; it is only modified/replaced while in transit from the pandemic file server before being executed on the computer of the remote user. The implant allows the replacement of up to 20 programs with a maximum size of 800 MB for a selected list of remote users (targets).

As the name suggests, a single computer on a local network with shared drives that is infected with the "Pandemic" implant will act like a "Patient Zero" in the spread of a disease. It will infect remote computers if the user executes programs stored on the pandemic file server. Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets.

Documents Directory HERE.

[A Voice from the Mountains]

I just saw in a Wikileaks tweet earlier today that they have a new release out.

Only people on my Twitter feed are Wikileaks and Trump. Other than that Twitter can go to hell.


Rachel how did you post on this yesterday? Twitter didn't deliver me the news until only a couple of hours ago.

[Innocent Warrior]

Posted by A Voice from the Mountains (here)
Rachel how did you post on this yesterday? Twitter didn't deliver me the news until only a couple of hours ago.

Too slow, they tweeted it 20 hours before the tweet you saw.

[A Voice from the Mountains]

Posted by Rachel (here)

Posted by A Voice from the Mountains (here)
Rachel how did you post on this yesterday? Twitter didn't deliver me the news until only a couple of hours ago.

Too slow, they tweeted it 20 hours before the tweet you saw.

Twitter really is garbage and would be just as bad if not worse than Facebook with censorship if more people actually gave a damn about it. The only reason I even got it was to get Trump's tweets and I think they know that if they banned him like they were considering before, they'd probably really go out of business. They don't provide advertizers with any meaningful return on investment and they were caught fabricating data to make it look better.

I just got locked out of my Twitter account earlier today for stuff I was posting that they didn't like, so I just made another account. I went back and looked and none of my tweets were even showing anyway. On a different account I couldn't find them anywhere, not even with the tweets they separate out as potentially offensive (which apparently includes politically incorrect speech).

If anybody wants to find me, my new handle on there is Barack_Obama_US_Kang lol. @obama_KangOfUS

[Innocent Warrior]

From Hot For Security -

Vault 7: WikiLeaks exposes Pandemic, CIA infection tool for Windows machines (Jun 2, 2017)



After having disclosed information about CIA’s spyware tool Athena only last week, WikiLeaks has published new information from Pandemic, another alleged CIA project that “targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine.”

Part of the Vault 7 series of documents that were either leaked following an inside job or stolen from the CIA by hackers, Pandemic basically turns Windows machines from a targeted network into Patient Zero. It then covertly infects other computers linked to the system by delivering infected versions of the requested files. Because it is very persistent, the original source of infection is difficult to detect.

Pandemic only takes 10 to 15 minutes to install and replaces up to 20 programs, according to a user manual, which doesn’t thoroughly describe how it is actually installed on a targeted file server. The project allegedly dates from April 2014 to January 2015.

See SOURCE to read more (including links).

* * *

Podcast: WBAI Free Assange #6 (30/5/17) -- Interview: former UK ambassador Craig Murray discussing UK election and Assange detention.

http://nuarchive.wbai.org/mp3/wbai_1...andyCrelof.mp3

wbai.org


Assange on the DC leak war -

Source: https://youtube.com/watch?v=3xGCqPqjykA

Published on Jun 1, 2017

This week Co-Founder of WikiLeaks Julian Assange discusses the War of Leaks in DC, who has the best secret security forces around the world, and how the public largely benefits from transparency and sharing of information. Porter and Buck have a debate on what constitutes a whistleblower and the motivations behind those who come forward.

[Innocent Warrior]

Vault 7: Projects

RELEASE - Cherry Blossom

Full statement on Cherry Blossom from WikiLeaks -

15 June, 2017

Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI International).

CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals. Such Wi-Fi devices are commonly used as part of the Internet infrastructure in private homes, public spaces (bars, hotels or airports), small and medium sized companies as well as enterprise offices. Therefore these devices are the ideal spot for "Man-In-The-Middle" attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user.

The wireless device itself is compromized by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection. Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap. A FlyTrap will beacon over the Internet to a Command & Control server referred to as the CherryTree. The beaconed information contains device status and security information that the CherryTree logs to a database. In response to this information, the CherryTree sends a Mission with operator-defined tasking. An operator can use CherryWeb, a browser-based user interface to view Flytrap status and security info, plan Mission tasking, view Mission-related data, and perform system administration tasks.

Missions may include tasking on Targets to monitor, actions/exploits to perform on a Target, and instructions on when and how to send the next beacon. Tasks for a Flytrap include (among others) the scan for email addresses, chat usernames, MAC addresses and VoIP numbers in passing network traffic to trigger additional actions, the copying of the full network traffic of a Target, the redirection of a Target’s browser (e.g., to Windex for browser exploitation) or the proxying of a Target’s network connections. FlyTrap can also setup VPN tunnels to a CherryBlossom-owned VPN server to give an operator access to clients on the Flytrap’s WLAN/LAN for further exploitation. When the Flytrap detects a Target, it will send an Alert to the CherryTree and commence any actions/exploits against the Target. The CherryTree logs Alerts to a database, and, potentially distributes Alert information to interested parties (via Catapult).

Documents Directory HERE.

[Innocent Warrior]

Cherry Bomb: Cherry Blossom (CB) User’s Manual HERE (PDF).



* * *

WBAI interview with Jesselyn Radack & Christine Assange on whistleblower issues and Assange asylum .
http://nuarchive.wbai.org/mp3/wbai_1...170001brad.mp3

Review of Laura Poitras' "Risk" by human rights lawyer Renata Avila on WBAI.
https://soundcloud.com/user-10880948...tras-film-risk

wbai.org

From Electric Frontier Foundation - As the Espionage Act Turns 100, We Condemn Threats Against Wikileaks (June 14, 2017)

* * *

Posted by Rachel (here)
Ronald Bernard Luciferian Banking Testimony (April 22, 2017)

For anyone interested, full PDF, scanned copy, dated 1934 - THE PROTOCOLS OF ZION

Real Big Power: Revelations by insider Ronald Bernard-part 2 (Uploaded June 9, 2017)

[Innocent Warrior]

Vault 7: Projects

RELEASE - Brutal Kangaroo

Full statement on Brutal Kangaroo from WikiLeaks -

22 June, 2017

Today, June 22nd 2017, WikiLeaks publishes documents from the Brutal Kangaroo project of the CIA. Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives. Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables.

The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects a Internet-connected computer within the organization (referred to as "primary host") and installs the BrutalKangaroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked.

The Brutal Kangaroo project consists of the following components: Drifting Deadline is the thumbdrive infection tool, Shattered Assurance is a server tool that handles automated infection of thumbdrives (as the primary mode of propagation for the Brutal Kangaroo suite), Broken Promise is the Brutal Kangaroo postprocessor (to evaluate collected information) and Shadow is the primary persistence mechanism (a stage 2 tool that is distributed across a closed network and acts as a covert command-and-control network; once multiple Shadow instances are installed and share drives, tasking and payloads can be sent back-and-forth).

The primary execution vector used by infected thumbdrives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs (DLLs) without user interaction. Older versions of the tool suite used a mechanism called EZCheese that was a 0-day exploit until March 2015; newer versions seem use a similar, but yet unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system.

Documents Directory HERE.

[Innocent Warrior]

From Brutal Kangaroo release, CIA air-gap jumping virus 'Emotional Simian' -

Emotional Simian v2.3 - User Guide - https://wikileaks.org/vault7/documen..._3-User_Guide/





* * *

Finale of WBAI's "Julian Assange Countdown to Freedom" with NSA's Thomas Drake and film maker John Pilger.
https://www.wbai.org/archive-popup.p...andyCrelof.mp3

Former CIA, NSA & FBI senior officers on the five year detention of Julian Assange -

Binney, McGovern, Rowley: WikiLeaks and the Global Information War (June 20, 2017)

On today's episode of Loud & Clear, Brian Becker is joined by Ray McGovern, an activist and a former CIA analyst; by Coleen Rowley, a former FBI special agent and whistleblower; and by Bill Binney, a former NSA technical director and whistleblower.

Monday, June 19 marks five years since Wikileaks founder Julian Assange sought asylum in Ecuador. In the half a decade since then, Assange has been prevented by British authorities from leaving the Ecuadorian embassy in London despite the UN finding last year that he has been the subject of arbitrary detention. His case and the campaign against Wikileaks have caused a global debate over whistleblowing that rages to this day.

Full episode HERE.

[Hervé]

#Vault7: CIA’s secret cyberweapon can infiltrate world’s most secure networks

RT
Published time: 22 Jun, 2017 11:47
Get short URL

© Joe Raedle / AFP

WikiLeaks’ latest release in its Vault7 series details how the CIA’s alleged ‘Brutal Kangaroo’ program is being used to penetrate the most secure networks in the world.

Brutal Kangaroo, a tool suite for Microsoft Windows, targets closed air gapped networks by using thumb drives, according to WikiLeaks.

Air gapping is a security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks.

WikiLeaks‏Verified account @wikileaks

RELEASE: CIA 'Brutal Kangaroo' thumb drive air gap jumping virus attack suite https://wikileaks.org/vault7/#Brutal%20Kangaroo …

2:14 AM - 22 Jun 2017

32 replies 952 retweets 869 likes

These networks are used by financial institutions, military and intelligence agencies, the nuclear power industry, as well as even some advanced news networks to protect sources, according to La Repubblica journalist Stefania Maurizi.

These newly released documents show how closed networks not connected to the internet can be compromised by this malware. However, the tool only works on machines with a Windows operating system.

Firstly, an internet-connected computer within the targeted organization is infected with the malware. When a user inserts a USB stick into this computer, the thumbdrive itself is infected with a separate malware.

Once this is inserted into a single computer on the air gapped network the infection jumps – like a kangaroo – across the entire system, enabling sabotage and data theft.

WikiLeaks‏Verified account @wikileaks

RELEASE: CIA air-gap jumping virus 'Emotional Simian' https://wikileaks.org/vault7/document/Emotional_Simian-v2_3-User_Guide/ …

2:36 AM - 22 Jun 2017
21 replies 970 retweets 849 likes

If multiple computers on the closed network are under CIA control, they “form a covert network to coordinate tasks and data exchange,” according to Wikileaks.

Data can be returned to the CIA once again, although this does depend on someone connecting the USB used on the closed network computer to an online device.

Julian Assange‏ @JulianAssange

CIA's Brutal Kangaroo air-gap jumping virus smuggles out stolen data in images on USB sticks @softwarnet https://wikileaks.org/vault7/#Brutal%20Kangaroo …

3:01 AM - 22 Jun 2017
18 replies 454 retweets 457 likes

While it may not appear to be the most efficient CIA project, it allows the intelligence agency to infiltrate otherwise unreachable networks.

This method is comparable to the Stuxnet virus, a cyberweapon purportedly built by the US and Israel. Stuxnet is thought to have caused substantial damage to Iran's nuclear program in 2010.

The CIA allegedly began developing the Brutal Kangaroo program in 2012 – two years after Stuxnet incident in Iran.

The most recent of these files were to intended to remain secret until at least 2035. The documents released by WikiLeaks are dated February 2016, indicating that the scheme was likely being used until that point.


Related:
‘CIA’s Cherry Bomb’: WikiLeaks #Vault7 reveals wireless network targets
Shadow Brokers leak links NSA to alleged US-Israeli Stuxnet malware that targeted Iran

[Omni]

What an amazing thread this is. Thanks to all contributors.

[Omni]

And just to give an idea of the absurdity of the U.S Government:

[Openmindedskeptic]

Posted by Omnisense (here)
What an amazing thread this is. Thanks to all contributors.

This is probably my favorite thread on the forum at this time. I check in every Friday to see if there are any new developments.

[Innocent Warrior]

CIA - Stuxnet connection.

From Flashpoint -

WikiLeaks Publishes CIA Documents Detailing “Brutal Kangaroo” Tool and LNK Exploits (June 23, 2017)



On June 22, 2017, WikiLeaks released a new cache of documents detailing four tools allegedly used by the CIA as part of its ongoing “Vault 7” campaign. The leaked tools are named “EzCheese,” “Brutal Kangaroo,” “Emotional Simian,” and “Shadow.” When used in combination, these tools can be used to attack systems that are air-gapped by using weaponized USB drives as an exfiltration channel. Per the documentation, deployment of the tool takes place by unwitting targets; however, the use of such tools could also easily be deployed purposefully by complicit insider actors.

Brutal Kangaroo

Brutal Kangaroo is a suite of tools that can be used to attack air-gapped networks by using weaponized USB drives as a covert channel. For configuration, an attacker would have the ability to pick how the tool is delivered; the tool can be set to no configuration, EzCheese, “Lachesis” LinkFiles, or “RiverJack” LinkFiles. EzCheese, Lachesis, and RiverJack appear to be LNK exploits that can be used to gain access to a system with little to no user interaction. Brutal Kangaroo also has the ability to read configuration files and compress the data, making detection and analysis much more difficult.

EzCheese

EzCheese is an LNK exploit which can be used to exploit systems via USB drives. The payload can be configured to use an x86 or x64 DLL file, which can be executed simply by viewing the directory in Explorer. Per the documentation released by WikiLeaks, EzCheese was patched as of March 2015; analysis suggests that EzCheese is the LNK exploit patched in CVE-2015-0096. Open Source analysis of Microsoft patches issued during this period identify two exploits using LNK files, CVE-2010-2568 (MS10-046) and CVE-2015-0096. CVE-2015-0096 is particularly interesting, as this exploit uses the same flaw as MS10-046, which was not fully patched by Microsoft. MS10-046 was made public with the analysis of “Stuxnet,” and was an LNK exploit identified inside of the binary file. Stuxnet was used to attack air-gapped networks with weaponized USB drives, suggesting an overlap of tactics, techniques, and procedures (TTPs).

Lachesis (Okabi Links)

Lachesis can be deployed using autorun.inf on a USB drive when a drive is inserted into a machine, and can also be configured with an x86 or x64 DLL’s for code execution. This works for Windows 7 systems, and the CVE for this exploit is currently unknown.

RiverJack (Okabi Links)

RiverJack is another technique for launching exploits via USB. To launch, RiverJack uses the library-ms functionality to gain execution. Per the documentation, LNK files can be set to hidden and it is not necessary to view these files for deployment. This exploit works against Windows 7, 8, and 8.1; the current CVEs surrounding this technique are currently unknown.

Emotional Simian

Emotional Simian is a data collections tool that can be used to gather files from infected systems and store them on USB drives. This tool can be configured to find files based on certain patterns, such as by filenames or extensions. File collection can occur on target systems based on modified and accessed dates in order to not collect duplicate files. Emotional Simian can also be configured to remove itself from an infected machine based on the date of the system; by default, it is set to remove itself after two years.

While this can be deployed by witting participants and insiders, the main deployment method is intended to be covert via unwitting hosts. In order to compromise the air-gapped systems, attackers will infect systems to which they have access, which are known as the “primary host.” Once a USB drive from this host has been compromised, it can be plugged into an air-gapped system where data collection begins; the data can then be saved to a separate partition on the USB drive. Once data is collected and the USB is plugged back into the primary host, other tools can be used to siphon the data off of the system. The data is then later processed.

Shadow

Once the USB tools have been deployed inside of a network, Shadow can be used to set up covert channels which can be used to send files back and forth. Similar to Emotional Simian, Shadow can be configured to collect certain files based on filename patterns and modified times. USB drives can be configured to be converted into Shadow drives, which allocate 10 percent of a USB drive partition for moving files. Infected systems can receive packet broadcasts with instructions and collected files can be assembled for post-processing. If pieces are missing, the tool will label chunks as missing; these missing pieces of data can be collected and reassembled later.

Assessment

While the tools described are used primarily by nation-state actors for covert data collections against unwitting victims, the tools could be used by a malicious insider for covertly collecting files. Flashpoint assesses with moderate confidence that the March 2015 patching of LNK exploit CVE-2015-0096 is likely EzCheese, which was an extension of patch MS10-046. MS10-046 was exploited by Stuxnet to attack air-gapped networks via USB drives, which is a significantly overlapping tactic, technique, and procedure (TTP) between Stuxnet and Brutal Kangaroo. LNK exploits are dangerous as they require little to no user interaction, and infection can occur simply by having the file rendered on the system.

Nine days prior to the release of the new Vault 7 dump, Microsoft patched CVE-2017-8464, which was described as a remote code execution vulnerability using LNK exploits; this exploit was rated as critical and in the wild. In the patch notice, Microsoft mentioned that the code could be used and deployed to removable drives to infect hosts. Microsoft did not provide the source of where the information on the vulnerability came from; it is currently unknown if CVE-2017-8464 fixes the LNK exploits described above.

For mitigations, Flashpoint recommends monitoring USB drive use because it is the primary deployment vector for these tools. LNK files should not typically be on USB drives; their presence may serve as an early warning of potentially suspicious activities.

Source.

[Innocent Warrior]

From Forbes:Security -

Wikileaks: CIA Stuxnet-Like Attacks Hacked Unconnected PCs Via USB (June 22, 2017)



The latest release from the Wikileaks Vault7 files, widely believed to contain details on the hacking techniques of the CIA, has revealed malware aimed at infecting so-called “air-gapped” PCs, those computers not connected to the internet, using USB sticks. The hacks exposed by Julian Assange’s organization Thursday exploit vulnerabilities similar to those used in the infamous Stuxnet attacks, believed to have been perpetrated by the US and Israel to infect nuclear plants in Iran, which also used thumb drives to spread into critical systems.

Wikileaks’ “Brutal Kangaroo” leak includes an array of manuals allegedly from the CIA’s Information Operations Unit. One user guide dated February 2016 explained how the Brutal Kangaroo suite included “Drifting Deadline,” malware designed to first infect a computer and then any plugged-in thumb drive. As soon as a target moved that USB stick over to a non-connected – i.e. “air-gapped” – computer, the infection would spread.

The final step, using software called Shadow, would “create a custom covert network within the target closed network,” from where the CIA could carry out further attacks and surveillance.

Perhaps the most impressive aspect of the attack was an exploit of a vulnerability that ran as soon as a user simply looked at files on the thumb drive in Windows Explorer. They didn’t even need to open any of the files, just peruse them, to get infected, explained an independent researcher going by the name x0rz. That particular part of the Brutal Kangaroo exploit kit was similar to one abused by Stuxnet, in that it was delivered via malicious .lnk files. Industrial systems and terrorist groups using disconnected computers were likely the targets of the CIA malware, said x0rz.

Microsoft and Wikileaks working together?

Intriguingly, Microsoft just patched a vulnerability affecting Windows’ processing of .lnk files, and to exploit it only required the icon of a specially-crafted shortcut be processed by the target PC. That sounds identical to the CIA attack.

The tech titan said that flaw had previously been exploited too. But it didn’t give any details on who disclosed the bug, leading x0rz and others to speculate Wikileaks properly informed Microsoft of the issue before releasing the Brutal Kangaroo files today, despite having some disputes with tech providers about how it would work with them to patch. x0rz guessed that the “Okabi” exploit named in the user guide was the one that was patched and that Wikileaks, rather than the CIA, was the one that disclosed to Microsoft. An older exploit that formed part of the Brutal Kangaroo arsenal, called EZCheese, was patched in 2015 before being replaced.

“This new Wikileaks leak confirms that [the .lnk vulnerability] is most likely tied to the CIA’s air-gap framework… It was definitely a related flaw,” said Hacker House co-founder Mathew Hickey.

“We’re currently looking into this and have nothing to share at this time,” a Microsoft spokesperson said.

The CIA hadn’t returned a request for comment at the time of publication. The CIA has neither confirmed nor denied whether any of the Wikileaks files are legitimate. But it did criticize Assange’s group following past releases, which included iPhone, Mac, Windows and Wi-Fi hacks. “The American public should be deeply troubled by any Wikileaks disclosure designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries,” a spokesperson said in March.

Such attacks on air-gapped systems have long been known, though rarely seen outside of the academic world. In April last year, researchers showed how subtle changes in smart lightbulb intensity could reveal data to an outside observer, while this February an attack was showcased that had LED lights relay data in a similar way, but to a drone floating outside an office.

Source (contains links).

* * *

From VOA -

CIA Chief: Intel Leaks on the Rise, Cites Leaker 'Worship' (June 25, 2017)



WASHINGTON —
CIA Director Mike Pompeo says he thinks disclosure of America's secret intelligence is on the rise, fueled partly by the “worship” of leakers like Edward Snowden.

“In some ways, I do think it's accelerated,” Pompeo told MSNBC in an interview that aired Saturday. “I think there is a phenomenon, the worship of Edward Snowden, and those who steal American secrets for the purpose of self-aggrandizement or money or for whatever their motivation may be, does seem to be on the increase.”

Pompeo said the United States needs to redouble its efforts to stem leaks of classified information.

“It's tough. You now have not only nation states trying to steal our stuff, but non-state, hostile intelligence services, well-funded -- folks like WikiLeaks, out there trying to steal American secrets for the sole purpose of undermining the United States and democracy,” Pompeo said.

Besides Snowden, who leaked documents revealing extensive U.S. government surveillance, WikiLeaks recently released nearly 8,000 documents that it says reveal secrets about the CIA's cyberespionage tools for breaking into computers. WikiLeaks previously published 250,000 State Department cables and embarrassed the U.S. military with hundreds of thousands of logs from Iraq and Afghanistan.

There are several other recent cases, including Chelsea Manning, the Army private formerly known as Bradley Manning. She was convicted in a 2013 court-martial of leaking more than 700,000 secret military and State Department documents to WikiLeaks while working as an intelligence analyst in Iraq. Manning said she leaked the documents to raise awareness about the war's impact on innocent civilians.

Last year, former NSA contractor Harold Thomas Martin III, 51, of Glen Burnie, Maryland, was accused of removing highly classified information, storing it in an unlocked shed and in his car and home. Court documents say investigators seized, conservatively, 50 terabytes of information, or enough to fill roughly 200 laptop computers.

Pompeo said the Trump administration is focused on stopping leaks of any kind from any agency and pursuing perpetrators. “I think we'll have some successes both on the deterrence side - that is stopping them from happening - as well as on punishing those who we catch who have done it,” Pompeo said.

See source for full article.

[Hervé]

WikiLeaks Releases Files on CIA Spying Geo-Location Malware for WiFi Devices

Sputnik World 16:53 28.06.2017

© AP Photo/ Carolyn Kaster

The WikiLeaks whistleblowing website published documents, showing how ELSA malware is allegedly used by US intelligence services to collect geolocation data from WiFi-enabled devices.

MOSCOW (Sputnik) — The WikiLeaks whistleblowing website on Wednesday released a new batch of CIA documents from the so-called Vault 7 project, showing how ELSA malware is allegedly used by US intelligence services to collect geolocation data from WiFi-enabled devices.

“Today, June 28th 2017, WikiLeaks publishes documents from the ELSA project of the CIA. ELSA is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system … If it [device] is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp,” WikiLeaks said in a press release.

WikiLeaks‏Verified account @wikileaks

RELEASE: CIA 'ELSA' implant to geolocate laptops+desktops by intercepting the surrounding WiFi signals https://wikileaks.org/vault7/#Elsa

5:19 AM - 28 Jun 2017

​
According to the statement, the malware, once it is persistently installed on a targeted device, does not have to be connected to the internet to continue collection of data.

“Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device,” WikiLeaks said.

The whistleblowing platform released what appears to be the CIA's user manual for the ELSA project as evidence. WikiLeaks began releasing Vault 7 on March 7, with the first full part comprising 8,761 documents. The previous release took place on June 22 and was dedicated to the CIA "Brutal Kangaroo” hacking tool.

...

Related:
WikiLeaks Releases New Batch of CIA Documents From "Pandemic" Project

[Hervé]

Interesting example from Jim Stone:

Things came to a head last night

They finally got a hack on this machine that was both incompatible and complete. They took it off the machine after I posted this and things started working perfect.

HEY GOONS: GET YOUR CRAPWARE OFF THIS COMPUTER OR I WILL MAKE NORTH KOREA VERY HAPPY BY HANDING THEM A KNOWN HACKED MACHINE THAT THEY CAN STUDY TO IMPROVE THEIR DATA SECURITY. I'll make good and sure they clearly understand what they have to do to prevent you from wiping it once they get it. MY GOD I AM SICK OF THIS SH*T. And if they have no representation in Mexico, I absolutely WILL go talk to Vlad, who I have spoken to before, AT THE RUSSIAN EMBASSY.

Hey you idiots: I don't care what you think about me "not possibly" being former NSA, because you are DEAD WRONG, I have transparently seen through your sh*t for months and simply kept quiet about it.

I might as well tell them how I noticed their *****ING SCREW UP. HEY IDIOTS: YOU, ON YOUR F**** SPY NETWORK ARE SET UP WITH DHCP. WHEN YOU STEAL MY CONNECTION AND KEYS AND ISSUE A REMOTE DESKTOP, THE LOGIN WON'T WORK UNLESS THE IP IS STATIC. FUTHERMORE, YOUR F****ING DESKTOP HAS THE WRONG VERSION OF CPANEL IT IS SENDING TO MY SCREEN! WHEN I ACTUALLY GET IN IT IS A DIFFERENT REVISION WITH DIFFERENT GRAPHICS. WHAT IDIOTS! COMMON CORE AT IT'S FINEST. NOW YOU KNOW HOW I KNOW YOU ARE THERE. I wanted to keep all that secret, but if you are going to totally A-hole me off the server with your incompetence, I might as well let you know how I know SO YOU CAN FIX IT!

HEY IDIOTS: Why record absolutely everything I do when it is all public anyway? And if you are Correct The Record with that fancy NSA spyware someone handed you, LEARN HOW TO USE IT YOU FOOLS!

Now it is up to you to figure out what else I might know. To that effect all I will say is That's dynamic! Want to lose a few secrets to **RANDOM** via a discovered hack? TRY ME. I'm all ready to play after this latest round of BULL****.

FUNDRAZR BLEW THE LID ON SOMETHING ELSE:

I set up 3 different Fundrazr accounts that were identical, in case one got hacked so I could just change the link. LATER, FUNDRAZR NOTIFIED ME THAT THERE WERE THREE ADDITIONAL ACCOUNTS, FOR A TOTAL OF SIX. So three for me, and three for "them!". All 3 Fundrazr accounts I set up were set to private, because of the front page link. Their duplicates were private also, so I could not locate them, but Fundrazr told me they existed because it associated the web site with them. They were obviously set up to provide a duplicate identical looking page that people could be re-directed to via a DNS based man in the middle attack set up to steal or block funding for this web site. I do not know if I should keep using Fundrazr or not. Because if it told me (indirectly) "they" were there, that's good. But if it can be quickly man-in-the-middle spoofed, that's bad.

It might be a situation where no matter what I use, they will set up an intercept. Anyway, the recent events made them all look like children, and proved that you can't just hand a World of Warcraft playing Millenial some fancy software and expect old school results.

Lots of people wanted me to give the "bugged" laptop to North Korea anyway!

There is some really important information here, I am going to say it all.

I can't give the "bugged laptop" to anyone. Because I posted a detailed and accurate explanation for what was done to the laptop, along with a threat to hand it over, and the second I did that, whatever agency bugged it wiped the bug off of it. That's standard procedure when they have been discovered. I learned from this that: 1. The problems I was having were not caused by a stinger.

2. It was not an internet based bug that watched for my system profile.

3. It was all accomplished via crapware they managed to get onto this computer, possibly in the Bios, but probably into that "rom chip". I did not actually burn the data path to the recordable section open, I only had in place a command for the operating system to not write to it. If someone had a correct operating system back door, they could bypass that which would have made it possible for them to bug it, but only the NSA or CIA would have figured that out, so now I know who did it.

The battery is probably still bugged, because it was bugged and I knew it. It was the first thing they bugged. They did the ROM chip/system bios later. Batteries have their own processors and memory in them which report battery condition, and these can be bugged with crapware too. I have not given them an opportunity to kill the bug off the battery, so that's still around to turn over to someone.

Now that I know for certain that all the problems were ones that got planted onto this laptop, the next time I see a problem, it is going straight to the Russians. PERIOD. Anyone attacking this site is a seditious bastard, and needs to be blown out of the power structure. If it takes a foreign nation to accomplish that because we have lost this nation so badly, well, what can I say? They don't have to risk their assets by just handing them to me! They have been warned . . . .

Problems that vanished:
1. "The website you are trying to access has an invalid security token" - This would happen TWICE each time I tried to log into the server. If people are seeing this, on various web sites, it probably does not mean anything has a problem, it probably means you are bugged. The problem happens when the spook's remote desktop arrangement screws up and fails to pass you the security token for a secure web site.

2. "This web site is being re-directed to a new location". One to five times every time I tried to log into the server. POOF, GONE. That problem VANISHED.

3. "Your session token is not valid, please log in again". Usually it would take me an hour or so to finally get past all their crap, and get onto the server with a legit session token. After they took their crapware off, log ins are instant, permanent, and work the first try.

4. All the problems with getting the wrong version of Cpanel are GONE, (common core JOE was too stupid to know what I was supposed to see, and sent the desktop for the wrong revision of Cpanel to my desktop EVERY SINGLE TIME.) When I'd see that, I knew I was hacked, and the next thing I'd see is "Your session token is not valid, please log in again".

5. Your IP address has changed, please log in again - This is because idiot JOE did not have the proper configuration ON HIS MACHINE to make the crapware work. His machine should have spoofed all IP's perfectly and kept them static, but was improperly set up to use dynamic IP's.

6. Occasionally I'd see whatever pictures idiot Joe was looking at, they'd just magically appear on my screen. That proved I was working on someone elses desktop. one time, idiot Joe sent me a 4K screen that scrolled like I was viewing a football field (my machine actually put up scroll bars to accomodate it!) So that's what American intelligence is using. That stopped.

I did not mention any of this until idiot joe did an update to his crapware that I saw come in, and it worked perfect, which, because his machine was set up to use DHCP or some other dynamic IP arrangement would constantly get me kicked off the server, which requires a static IP. After trying to get on for four consecutive hours, I posted that I knew they were there via combat mode, a special arrangement I set up that allows a dynamic IP and does not issue a token. It has it's own edit screen and uses php to inject new content onto the front page, into the window. It is a nice little piece of work, but that's all "combat mode" was. It was not all that secure, but still secure enough to block out any legit hacker. It allowed me to work through their screwed up remote desktop.

DEAR TROLLING INTELLIGENCE AGENCIES, who would occasionally send ridicule to the message window, saying I did not know about security:

I knew what was causing the problems the whole time, and knew it was your own configuration screw ups that caused them but did not say it because I did not want idiot JOE to do a work around that concealed anything. I knew ONLY the CIA or NSA would ever successfully target me, because actually my security was quite good against legitimate hackers. Yes, I know my Linux has that problem with allowing anyone to log in but did not update it, because who, other than the NSA/CIA would ever figure that out, let alone get onto my cell connection to accomplish that? WHO, OTHER THAN THE NSA/CIA WOULD KNOW WHAT CELL TOWER TO HACK ME THROUGH, AND THEN BYPASS WRITE PROTECTION ON THE ROM CHIP SIMPLY BECAUSE I DID NOT ACTUALLY BURN THE DATA PATH OPEN? Idiot JOE's failure to use a static IP that spoofed mine was sheer idiocy, because it made it perfectly obvious someone had me hacked, ONCE I ACCESS VIA THE CELLULAR CONNECTION MY IP IS STATIC AND I CAN'T GET A MESSAGE IT HAS CHANGED UNLESS SOME IDIOT CAUSES IT. This is a basic requirement of ALL, not just one, ALL my web servers and I had to make sure my web provider always issued a static IP before I even chose to use that provider. If the IP changed I knew I was running off of IDIOT JOE'S DESKTOP. So I was not so stupid after all, Because I knew you were there, and knew the value of keeping my mouth shut about the actual details.

MY OFFER IS PERMANENT:
Now you know you had your pants pulled down the whole time. Now you know I can stay shut up about it. And you thought you were smart the WHOLE TIME. And you even poked fun at me a few times. That was stupid, because you were standing in front of me BUTT NAKED while you poked fun. and the next time your asses are hanging out, I'm saying NOTHING, I'll just pull the (new) battery out and go to the Russian embassy and gift them a free laptop, complete with full instructions on how to avoid having you wipe your stuff off before they nail it. How about that? I have a right to give my **** away!