Malc0de CyberNet
Fulfill your daily dose of Security & Tech News.

CIA Hacking Tools Remotely Control Video Streams and Security Cameras

0 86

CIA has apparently stacked up on a mass of spying tools. CouchPotato and Dumbo are two such recently leaked exploits that reveal CIA’s strategies on controlling surveillance.

In March, WikiLeaks began publishing a series of leaks on the U.S. Central Intelligence Agency. Code-named “Vault 7“, the project is focused on sharing exploits created and used by the United States Central Intelligence Agency. It began with the leaking of 8,761 documents discovered within an isolated network in Langley, Virginia.

Vault7 now sheds light on two new exploits aimed at

CouchPotato

CouchPotato is a remote tool intended to target RTSP/H.264 video streams coming from networked cameras. It gives CIA hackers ability to “collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame.”
Unlike Dumbo, it doesn’t seem to require physical access to a PC. The tool uses FFmpeg for video and image encoding and decoding and Real Time Streaming Protocol connectivity. Real Time Streaming Protocol, or RTSP, is a network control protocol designed for use in entertainment and communication systems for controlling streaming media servers.
In order to minimize size of the DLL binary, many of the audio and video codecs along with other unnecessary features have been removed from the version of ffmpeg that CouchPotato is built with. pHash, an image hashing algorithm, has been incorporated into ffmpeg’s image2 demuxer to provide image change detection capabilities.
The CouchPotato tool works stealthily without leaving any evidence on the targeted systems because it has been designed to support ICE v3 “Fire and Collect” loader. It is an in-memory code execution (ICE) technique that runs malicious code without the module code being written to the disk.
The documents posted to WikiLeaks deal with the first version of the application, but it isn’t clear whether or not other versions exist. If there have been improved versions, they would probably deal with reducing the excess CPU usage time, which increases chances of detection.
However, neither Wikileaks nor the leaked user guide details how the agency penetrates into the targeted systems at the first place, but it is possible that they have been using CouchPotato in combination with other tools.

Dumbo

It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. Once identified, the Dumbo program allows the CIA agents to:

  • Mute all microphones
  • Disables all network adapters
  • Suspends any processes using a camera recording device
  • Selectively corrupted or delete recording

By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.

requires SYSTEM level privilege to run. For the log to be maintained, the thumb drive Dumbo is executed from must remain plugged into the system throughout the duration of the operation.

Previous Vault7 Leaks

“Vault 7” is a substantial collection of material about CIA activities obtained by WikiLeaks since March 2017. These leaked tools include:

  • Imperial: Explores 3 CIA-developed hacking tools and implants targetting Apple Mac OS X and some flavours of Linux operating systems.
  • UCL/Raytheon: An alleged CIA contractor, which analyzed malware, allowing the CIA developed its own malware.
  • Highrise: An alleged CIA project that let the spying agency stealthy collects and forwards stolen data from compromised smartphones to its server via SMS.
  • BothanSpy and Gyrfalcon: CIA implants that let the CIA intercept and exfiltrate SSH credentials from targeted Windows and Linux PCs using different attack vectors.
  • OutlawCountry: An alleged CIA project aimed at hacking and remotely spying on systems running Linux OS.
  • ELSA: Alleged CIA malware that tracks geolocation of targeted computers and laptops running Windows.
  • Brutal Kangaroo: A tool suite for Windows used by the CIA agents to target closed networks or air-gap computers within an organisation or enterprise without requiring any direct access.
  • Cherry Blossom: A framework employed by the agency to monitor the Internet activity of the targeted systems by exploiting flaws in Wi-Fi devices.
  • Pandemic: A CIA’s project that allowed the spying agency to turn Windows file servers into covert attack machines that can silently infect other PCs of interest inside the same network.
  • Athena: A spyware framework that the agency designed to take full control over an infected Windows systems remotely and works against every version of Windows OS–from Windows XP to Windows 10.
  • AfterMidnight and Assassin: CIA malware frameworks for the Microsoft Windows platform that’s meant to monitor and report back actions on the infected remote host PC and execute malicious actions.
  • Archimedes: Man-in-the-middle attack tool reportedly developed by the CIA to target computers and laptops inside a Local Area Network (LAN).
  • Scribbles: Software supposedly designed to embed ‘web beacons’ into confidential files and documents, allowing the CIA to track insiders and whistleblowers.
  • Grasshopper: A framework that allowed the spying agency to quickly create custom malware for breaking into Microsoft Windows OS and bypassing antivirus protection.
  • Marble: Source code of a secret anti-forensic framework used by the CIA agents to hide the actual source of its malware.
  • Dark Matter: Hacking tools the spying agency used to target iPhones and Macs.
  • Weeping Angel: Spying tool used by the CIA to infiltrate smart TVs, and transforming them into covert microphones.
  • Year Zero: CIA hacking tools and exploits for popular hardware and software.

 

Leave A Reply

Your email address will not be published.