CIA Malware Cyberweapon – Another SMB “Tool”

Topic

New Reply

Catalin Cimpanu, on bleepingcomputer.com, has posted an article about one of the recent Wikileaks Vault 7 series of dumps. “CIA Malware Can Switch Cle
[See the full post at: CIA Malware Cyberweapon – Another SMB “Tool”]

Reply | Quote

Replies

From securityweek.com:

CIA Tool ‘Pandemic’ Replaces Legitimate Files With Malware
Eduard Kovacs | June 2, 2017

The fact that WikiLeaks delayed last week’s dump until the day the Russian government once again denied interfering with U.S. elections has led some members of the infosec community to believe that the leaks may be timed to serve other purposes, not just to expose the CIA’s activities.

Reply | Quote

Does some part of OneDrive transfer its data to/from online servers through SMB connections?

I know it used to be possible to map drive letters to it. I’m not sure about the current releases because I eliminate the OneDrive feature immediately from every system I install, so I have no recent experience watching OneDrive packets go by…

I do know that if you search online you can find a fair number of cloud services that can (or could) be mapped as “network drives”, implying possible vulnerability to this Pandemic tool. I honestly don’t know if they use SMB under the covers.

Cloud integration sounds neat – the world becomes your storage device – but don’t think for a moment it’s without peril.

-Noel

4 users thanked author for this post.

Elly, AJNorth, Cascadian, Bill C.

Reply | Quote

Yeah, the “Cloud” sounds cool.  But it quickly loses its appeal (at least to me) since it is a delegation of the security and integrity of data to someone else.

No personal data of mine will ever be stored in the “Cloud”.

Reply | Quote

If the Cloud ever held my interest, it was for a very short time. Because all the eager people selling me the concept would not answer, ‘isn’t your cloud just a new name for your servers holding my data?’

That, and at the time I did not have the luxury of Unlimited Data, as a billing plan. It seemed to me the was an elitist concept that made big bucks off people who did not have a backup plan in place. Not that I’ve always kept mine adequately, but I knew I could if I weren’t lazy.

Most Companies are in business to give good faithful service. But I did not like the business model where I send all my information to someone else, who could one day leverage that hold on my wallet.

Reply | Quote

Noel Carboni wrote:

Does some part of OneDrive transfer its data to/from online servers through SMB connections?

It uses port 443 with TLS encryption.

5 users thanked author for this post.

Elly, SueW, jelson, Noel Carboni, Cascadian

Reply | Quote

Doesn’t answer my question directly, but does underscore that the connections are encrypted, and so less likely to be attacked by a man in the middle. Whether encrypted sufficiently is a separate discussion topic.

-Noel

Reply | Quote

I think it does answer your question.
Port 443 refers to https in all scenarios.
Have you actually seen SMB used over the Internet (without a VPN) by any serious implementation?

Reply | Quote

That just sounds like more anti-russian hooey by the usual suspects.  Its scary that such serious security holes and more have gone unpatched in Microsoft’s OS.   That makes you wonder if Microsoft really meant to patch them or did they have an understanding between MS and the CIA.

Reply | Quote

Work does not allow access to Wikileaks, I’m not able to get to the detailed information on this.  The “manual” sounds interesting.

A question coming to mind for me is:  Does the version of SMB come into play for this exploit?

We were fairly well protected from the previous dump’s exploits by disabling SMB1.

Has anyone seen information that would give us any hope that it’s similar for this exploit?

Thanks,

Jim

Reply | Quote