A new release from Wikileaks reveals information about a tool the CIA developed in order to infect and spy on targets from wireless routers. Once routers are compromised, attackers have access to everything users are doing and can carry out exploits on connected devices. The CIA tool, dubbed "Cherry Blossom," essentially turns routers into surveillance devices.
Almost all router makes and models appear to be susceptible to Cherry Blossom.
"In particular," says Wikileaks, "CherryBlossom [sic] is focused on compromising wireless networking devices, such as wireless routers and access points.
"[T]hese devices are the ideal spot for 'Man-In-The-Middle' attacks, as they can easily monitor, control and manipulate the Internet [sic] traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system."
The Shadow Brokers and Wikileaks have been releasing information about CIA and NSA hacks and exploits for months (although the Shadow Brokers appear to be motivated primarily by financial gain). In recent years NSA and the CIA had compiled multiple tools for compromising devices and networks in order to spy on targets.
But as was seen in the WannaCry ransomware attacks last month and subsequentattacks that have exploited the same EternalBlue vulnerability, criminals can use these exploits just as easily as spy agencies.
How Cherry Blossom Works
For many kinds of routers, firmware can be updated wirelessly. The CIA hack uses this functionality to implant new firmware that contains Cherry Blossom on the router. This means that Cherry Blossom can be installed in routers remotely.
Additionally, almost any router can be targeted. The Cherry Blossom manual says (via The Verge), "CB-implanted firmwares [sic] can be built for roughly 25 different devices from 10 different manufacturers, including Asus, Belkin, Buffalo, Dell, DLink, Linksys, Motorola, Netgear, Senao, and US Robotics." (The brands listed in the manual are in alphabetical order.)
Once a router is compromised, all network traffic can be monitored.
Additionally, the CIA Command & Control server can send instructions to the infected router in order to perform a variety of malicious actions, from vulnerability exploits on a targeted user's endpoint to redirecting the target's browser to proxying user network connections (per Wikileaks).
Analysis: OPSWAT's Recommendations for Prevention
Routers are just one example of devices that run firmware, connect to the internet, and can be hacked by attackers for questionable purposes. And as usage of IoT devices grows more widespread, these kinds of attacks will grow ever more common. Indeed, IoT devices are already highly susceptible to attacks.
To combat these kinds of attacks, it will be necessary to develop cyber security solutions that can do five key things:
1. Detect and assess vulnerabilities on all kinds of devices.
With the continued proliferation of devices that require patching and updating to remain secure, it is ever more necessary to identify and assess vulnerabilities before attackers can use them. OPSWAT offers just such a solution, and you can view our page about the MetaDefender Vulnerability Engine to learn more.
2. Check the configuration of a router to verify how it updates firmware.
Verifying that a router upgrades firmware in a secure manner is essential in order to make sure router firmware "updates" from malicious sources are not possible.
3. Check whether firmware is from an authenticated vendor.
This would prevent the installation of imitation firmware, such as the Cherry Blossom-containing firmware the CIA was capable of pushing to routers.
4. Check whether firmware is up-to-date or not.
Firmware that has not been updated to a vendor's latest version will likely have unpatched vulnerabilities that leave routers (and other internet-capable devices) exposed to cyber attacks.
5. Check whether devices connect to any malicious IPs or domains.
Going forward, users and system administrators need visibility of whether or not a device is forwarding network traffic to a malicious third party, which would indicate that the device is compromised.
h/t SiliconANGLE
