• CIA Malware Cyberweapon – Another SMB “Tool”

    Home » Forums » Newsletter and Homepage topics » CIA Malware Cyberweapon – Another SMB “Tool”


    Catalin Cimpanu, on bleepingcomputer.com, has posted an article about one of the recent Wikileaks Vault 7 series of dumps. “CIA Malware Can Switch Cle
    [See the full post at: CIA Malware Cyberweapon – Another SMB “Tool”]

    Viewing 3 reply threads
    • #119067

      From securityweek.com:

      CIA Tool ‘Pandemic’ Replaces Legitimate Files With Malware
      Eduard Kovacs | June 2, 2017

      The fact that WikiLeaks delayed last week’s dump until the day the Russian government once again denied interfering with U.S. elections has led some members of the infosec community to believe that the leaks may be timed to serve other purposes, not just to expose the CIA’s activities.

    • #119090

      Does some part of OneDrive transfer its data to/from online servers through SMB connections?

      I know it used to be possible to map drive letters to it. I’m not sure about the current releases because I eliminate the OneDrive feature immediately from every system I install, so I have no recent experience watching OneDrive packets go by…

      I do know that if you search online you can find a fair number of cloud services that can (or could) be mapped as “network drives”, implying possible vulnerability to this Pandemic tool. I honestly don’t know if they use SMB under the covers.

      Cloud integration sounds neat – the world becomes your storage device – but don’t think for a moment it’s without peril.


      4 users thanked author for this post.
      • #119103

        Yeah, the “Cloud” sounds cool.  But it quickly loses its appeal (at least to me) since it is a delegation of the security and integrity of data to someone else.

        No personal data of mine will ever be stored in the “Cloud”.

      • #119114

        If the Cloud ever held my interest, it was for a very short time. Because all the eager people selling me the concept would not answer, ‘isn’t your cloud just a new name for your servers holding my data?’

        That, and at the time I did not have the luxury of Unlimited Data, as a billing plan. It seemed to me the was an elitist concept that made big bucks off people who did not have a backup plan in place. Not that I’ve always kept mine adequately, but I knew I could if I weren’t lazy.

        Most Companies are in business to give good faithful service. But I did not like the business model where I send all my information to someone else, who could one day leverage that hold on my wallet.

      • #119128

        Does some part of OneDrive transfer its data to/from online servers through SMB connections?

        It uses port 443 with TLS encryption.

        5 users thanked author for this post.
        • #119190

          Doesn’t answer my question directly, but does underscore that the connections are encrypted, and so less likely to be attacked by a man in the middle. Whether encrypted sufficiently is a separate discussion topic.


          • #119195

            I think it does answer your question.
            Port 443 refers to https in all scenarios.
            Have you actually seen SMB used over the Internet (without a VPN) by any serious implementation?

    • #119085

      That just sounds like more anti-russian hooey by the usual suspects.  Its scary that such serious security holes and more have gone unpatched in Microsoft’s OS.   That makes you wonder if Microsoft really meant to patch them or did they have an understanding between MS and the CIA.

    • #119099

      Work does not allow access to Wikileaks, I’m not able to get to the detailed information on this.  The “manual” sounds interesting.

      A question coming to mind for me is:  Does the version of SMB come into play for this exploit?

      We were fairly well protected from the previous dump’s exploits by disabling SMB1.

      Has anyone seen information that would give us any hope that it’s similar for this exploit?



    Viewing 3 reply threads
    Reply To: CIA Malware Cyberweapon – Another SMB “Tool”

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: