WikiLeaks released documents detailing the Cherry Blossom framework which is being used by the CIA cyber spies to hack into Wi-Fi devices.
WikiLeaks released a new batch of documents belonging to the Vault 7 leak, the files provide details related to the Cherry Blossom framework which is being used by the CIA cyber spies to hack into Wi-Fi devices.
The framework was developed by the CIA, along with experts at the Stanford Research Institute (SRI International), for hacking hundreds of home router models.
The Cherry Blossom framework was developed under the ‘Cherry Bomb’ project.
Cherry Blossom is a remotely controllable firmware-based implant for wireless networking devices, it could be used to compromise routers and wireless access points (APs) by triggering vulnerabilities to gain unauthorized access and load the custom Cherry Blossom firmware.
“The Cherry Blossom (CB) system provides a means of monitoring the internet
activity of and performing software exploits on targets of interest. In particular, CB is
focused on compromising wireless networking devices, such as wireless (802.11) routers
and access points (APs), to achieve these goals” states the user manual.
“An implanted device [called Flytrap] can then be used to monitor the internet activity of and deliver software exploits to targets of interest.” reads the CherryBlossom — Users Manual (CDRL-12).
“The wireless device itself is compromised by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection,” WikiLeaks says.
The CherryBlossom is composed of four main components:
FlyTrap – beacon (compromised firmware) that runs on compromised device that communicates with the CherryTree C&C server.
CherryTree – C&C server that communicates with FlyTrap
CherryWeb – web-based admin panel running on CherryTree
Mission – a set of tasks sent by the C&C server to infected devices
CIA cyber spies use Cherry Blossom framework to compromise wireless networking devices on the targeted networks and then run man-in-the-middle attacks to eavesdrop and manipulate the Internet traffic of connected devices.
FlyTrap could perform the following malicious tasks:
- Monitoring network traffic to gather data of interest such as email addresses, MAC addresses, VoIP numbers, and chat user names.
- Hijack users to malicious websites.
- Injecting malicious content into the data traffic to deliver malware.
- Setting up VPN tunnels to access clients connected to Flytrap’s WLAN/LAN for further exploitation
According to the documents, the CherryTree C&C server must be located in a secure sponsored facility and deployed on Dell PowerEdge 1850 powered virtual servers, running Red Hat Fedora 9, with at least 4GB of RAM.
The documents include a list of more 200 router models that CherryBlossom can target, experts noticed that most of them are older models from various vendors, including Belkin, D-Link, Linksys, Aironet/Cisco, Apple AirPort Express, Allied Telesyn, Ambit, AMIT Inc, Accton, 3Com, Asustek Co, Breezecom, Cameo, Epigram, Gemtek, Global Sun, Hsing Tech, Orinoco, PLANET Technology, RPT Int, Senao, US Robotics and Z-Com.
For the full list of devices in included in a WikiLeaks document .
Below the list of release published by Wikileaks since March:
- Cherry Blossom – 15 June, 2017
- Pandemic – 1 June, 2017
- Athena – 19 May, 2017
- AfterMidnight – 12 May, 2017
- Archimedes – 5 May, 2017
- Scribbles – 28 April, 2017
- Weeping Angel – 21 April, 2017
- Hive – 14 April, 2017
- Grasshopper – 7 April, 2017
- Marble Framework – 31 March, 2017
- Dark Matter – 23 March, 2017
(Security Affairs – Cherry Blossom, CIA)