Endpoint Security , Incident & Breach Response , Managed Detection & Response (MDR)

Leak Reveals CIA 'CherryBlossom' Program Targeting Routers

WikiLeaks Dump Describes Custom Linux Firmware to Pwn Widely Used Routers
Leak Reveals CIA 'CherryBlossom' Program Targeting Routers
Source: WikiLeaks

A new dump from WikiLeaks has revealed an apparent CIA project - code named "CherryBlossom" - that since 2007 has used customized, Linux-based firmware covertly installed on business and home routers to monitor internet traffic and as a stepping stone for exploiting targets' devices.

See Also: Gartner Guide for Digital Forensics and Incident Response

Details of the CherryBlossom project were published Thursday by secrets-spilling organization WikiLeaks, as part of its ongoing series of "Vault 7" dumps of apparent CIA attack tools.

Previously leaked Vault 7 information, which dated from 2013 to 2016, described programs with such names as AfterMidnight, Athena, Dark Matter, Grasshopper, Hive, Pandemic and Weeping Angel. The identity of whoever leaked the information to WikiLeaks - and their motivation - remains unknown (see 7 Facts: 'Vault 7' CIA Hacking Tool Dump by WikiLeaks).

No Source Code

Unlike the "Equation Group" leaks of alleged NSA attack tools by the Shadow Brokers, the Vault 7 releases by WikiLeaks, including CherryBlossom, contain no source code or executable binaries. As a result, attackers cannot use the exploits referenced in the leak. But the leaked documentation does include indicators of compromise. As a result, as noted by the security researcher who tweets under the handle x0rz, potential victims can now scan their networks, as well as historical logs, for signs that they may have been exploited via CherryBlossom.

What's the Risk?

Despite the existence of a covert CIA router-infection program that's been operating since 2007, many security experts say the risk posed to the vast majority of non-U.S. citizens remains very low. Instead, they warn that numerous routers remain so poorly secured and rarely updated that anyone - cybercrime gang, bored teenager or nation state - could compromise them with little trouble.

Indeed, the Mirai malware that sprang up last year targeted default credentials in dozens of different types of internet of things devices built by numerous manufacturers. Mirai's success was directly proportional to the quantity of poorly secured routers that it was able to compromise (see Free Source Code Hacks IoT Devices to Build DDoS Army).

Many routers have known access credentials, notes Jake Williams, a cybersecurity consultant, exploit development instructor for SANS Institute, and former NSA employee. As a result, without needing to develop or load custom firmware, any attacker could access such devices to alter their DNS settings and launch man-in-the-middle attacks against users who connect to the devices, Williams notes via Twitter.

Cybercriminals, for example, cooked up DNSChanger malware to alter domain name settings on PCs and redirect users to rogue DNS servers. While that malware was created to commit "advertising replacement fraud" - and click fraud - attackers could have easily logged, stored or manipulated traffic flowing to or from compromised devices or infected routers as part of their campaign.

User Guide to CherryBlossom

Source: WikiLeaks

Starting in 2007, however, the CherryBlossom project was designed to infect wireless routers and access points with custom-built firmware, which could allow the devices to be used as man-in-the-middle attack points against targets of interest.

The 175-page CherryBlossom user manual, which includes a "secret" classification, notes that "as of August 2012, CB-implanted firmwares can be built for roughly 25 different devices from 10 different manufacturers (including Asus, Belkin, Buffalo, Dell, Dlink, Linksys, Motorola, Netgear, Senao, and US Robotics)." The manual, dated 2012, says the program has been running since 2007.

"The Cherry Blossom (CB) system provides a means of monitoring the internet activity of and performing software exploits on targets of interest. In particular, CB is focused on compromising wireless networking devices, such as wireless (802.11) routers and access points (APs), to achieve these goals," the manual reads.

WikiLeaks notes in an overview that accompanies the CherryBlossom document dump that "by altering the data stream between the user and internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user."

WikiLeaks says the CIA developed and implemented CherryBlossom with the help of Stanford Research Institute, aka SRI International, which is an independent, nonprofit Silicon Valley research center. SRI International couldn't be immediately reached for comment.

Forcing Wireless Firmware Updates

Custom CherryBlossom firmware can be installed on targeted devices using a variety of techniques, according to the user guide, including connecting via a LAN or wireless LAN. The guide adds that for routers that do not allow wireless users to update firmware, special exploitation tools have been developed that force the routers to do so anyway.

After the firmware gets installed and the device reboots, the documentation refers to the device as a FlyTrap, and notes that it will "beacon" to a command-and-control server, called the CherryTree, at preset intervals, or to alert the administrator when specified events occur. Those communications get routed through a point of presence, aka Snowball.

The CherryTree can then send a mission, as specified by an operator, back to the FlyTrap. Operators can manage these missions, issue new ones and view results via a browser-based user interface - dubbed CherryWeb. Various tasks can be assigned - for example, to scan for specific email addresses and copy all traffic going to or from that address.

Source: WikiLeaks

The user guide notes that all data - except for intercepted network traffic - exfiltrated via the FlyTrap is encrypted and disguised as an HTTP cookie for an image file. After the FlyTrap sends the exfiltrated data, the CherryTree responds by sending a binary image file, again to make the covert communication appear to be legitimate.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.