U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

WikiLeaks – CIA used the AngelFire implant infect systems running Windows OSs

A new batch of documents from CIA Vault 7 leaks revealed details about a new implant dubbed AngelFire used to infect systems running Windows OSs. A new batch of documents from Vault 7 leaks revealed details about a new implant, dubbed AngelFire that was used by CIA agents to infect systems running Windows OS. AngelFire was part of the CIA arsenal, the hacking tool was used to […]

CIA analyst

A new batch of documents from CIA Vault 7 leaks revealed details about a new implant dubbed AngelFire used to infect systems running Windows OSs.

A new batch of documents from Vault 7 leaks revealed details about a new implant, dubbed AngelFire that was used by CIA agents to infect systems running Windows OS.

AngelFire was part of the CIA arsenal, the hacking tool was used to gain persistence on the infected systems.

The documents describe the AngelFire framework implants as a persistent backdoor that infects the partition  Boot Sector. According to the user manual leaked by WikiLeaks, AngelFire requires administrative privileges to compromise the target system.

“Today, August 31st 2017, WikiLeaks publishes documents from the Angelfire project of the CIA. Angelfire is an implant comprised of five components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system.” reads Wikileaks.

“Like previously published CIA projects (Grasshopper and AfterMidnight) in the Vault7 series, it is a persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7).”

AngelFire cIA

Below the details for the five components composing the AngelFire framework:

1. Solartime — It is the component that modifies the partition boot sector to load and execute the Wolfcreek (kernel code) every time the system boots up.

2. Wolfcreek — It a self-loading driver (kernel code that Solartime executes) that loads other drivers and user-mode applications

3. Keystone — It is part of the Wolfcreek implant that leveraged DLL injection to execute the malicious user applications directly into system memory without dropping them into the file system. It is responsible for starting malicious user applications.

4. BadMFS — It is a is a library used to create a covert file system at the end of the active partition (or in a file on disk in later versions). It is used as a repository for the drivers and implants that Wolfcreek will start. All files are both encrypted and obfuscated to avoid string or PE header scanning.

5. Windows Transitory File system — It is a new method of installing AngelFire, which allows the CIA operator to create transitory files for specific actions including installation, adding files to AngelFire, removing files from AngelFire, etc.

According to the documents, the 32-bit version of the CIA implant works against Windows XP and Windows 7, while the 64-bit implant can be used to infect Server 2008 R2, Windows 7.

Below the list of release published by Wikileaks since March:

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Wikileaks, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]