Clik here to view.
WikiLeaks has released another set of documents from the CIA, revealing details of a project known as Brutal Kangaroo that targets closed Windows networks by jumping the air gap using thumb drives.
Components from this project create a covert network within the closed network and allow the execution of surveys, directory listings, and running arbitrary executables.
The hacks revealed in these documents are similar to those used in the Stuxnet attacks against Iranian nuclear reactors.
One of the manuals describes the use of a tool known as Drifting Deadline which first infects an Internet-connected computer and then a plugged-in flash drive. Using the same drive on any other computer would spread the infection.
{loadposition sam08}The creation of a covert network, using software called Shadow, would allow the CIA to control it and carry out attacks or surveillance.
The main vector for infection on thumb drives is a hand-crafted .lnk file that can load and execute a dynamic linked library without any user interaction. Older versions of this used a mechanism called EZCheese, a zero-day vulnerability that was patched by Microsoft in March 2015.
Newer versions use a similar, but yet unknown link file vulnerability (Lachesis/RiverJack) related to Windows' library-ms functionality.
