WikiLeaks has recently published a document on a tool used by the U.S Central Intelligence Agency (CIA) to hack routers and access points as part of their ongoing operation of Vault 7. Vault 7 includes all the covert global hacking operation run by the CIA.
The tool, dubbed CherryBlossom, is designed to monitor a targets internet activity and exploiting vulnerabilities via wireless networking devices. The tool was developed and implemented by CIA with the help of SRI International, a nonprofit research center.
CherryBlossom was under development since 2006 and could target more than 200 device models from 20 vendors, including 3Com, Accton, Cisco, Ambit, AMIT, Asus, Apple, Breezecom, D-Link, Gemtek, Global Sun, Linksys, Orinoco, Planet Tec, Senao, US Robotics and Z-Com.
Flytrap is the main component of the CherryBlossom and is embedded within the firmware. It detects and exploits selected targets. The tool can be delivered to its targets by many ways. It can be delivered through Claymore, “a survey, collection, and implant tool used to determine wireless device make, model, and version and to implant supported devices with CB firmware”. The implant can also be delivered through the devices firmware upgrade functionality or physical access to the router, that wouldn’t otherwise allow a remote update.
The command and control (C&C) server (CherryTree) is accessed soon as the implant has been set up and Flytrap can be accessed via a web based user interface named CherryWeb. Man-in-the-middle attacks help the attacker to track the activities throughout the network of all users. The implant can be instructed to:
- Collect email address, chat usernames, VoIP numbers and monitor network traffic
- Redirect the browser
- Proxy the victims network connection
- Execute applications