A new WikiLeaks release of documents show the CIA’s capability to infect air-gapped computers and networks via booby-trapped USB sticks.
CIA would start by infecting an Internet-connected computer inside the target organizations with malware, which would infect inserted USB sticks with another piece of malware. If such a USB is ultimately inserted in the air-gapped computer, it will get infected with exfiltration/survey malware.
The primary execution vector used by infected thumbdrives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs (DLLs) without user interaction.
The Tools consists of the following components:
- Drifting Deadline is the thumbdrive infection tool
- Shattered Assurance is a server tool that handles automated infection of thumbdrives (as the primary mode of propagation for the Brutal Kangaroo suite)
- Broken Promise is the Brutal Kangaroo postprocessor (to evaluate collected information)
- Shadow is the primary persistence mechanism (a stage 2 tool that is distributed across a closed network and acts as a covert command-and-control network
Older versions of the tool suite used a mechanism called EZCheese that was a 0-day exploit until March 2015; newer versions seem use a similar, but yet unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system.
Microsoft didn’t say when it patched the vulnerabilities exploited by Lachesis and RiverJack, but pointed out that earlier this month Microsoft patched a critical vulnerability that allowed .LNK files stored on removable drives and remote shares to execute malicious code. “Microsoft said in its advisory that the vulnerability was being actively exploited but didn’t elaborate.”