
CIA Targeting Linux Users With OutlawCountry Network Traffic Re-Routing Tool - kumaranvpl
https://hothardware.com/news/wikileaks-exposes-cia-targeting-linux-users-with-outlawcountry-network-traffic-re-routing-tool
======
skywhopper
This is not surprising or even interesting. The headline in particular is
overblown. It's the equivalent of "CIA Targeting French Speakers with Audio
Listening Devices". Not only is that painfully obvious and well-known, but
it's also far too weirdly specific. Yes, the CIA has tools for spying. That's
their job. The tools vary in sophistication. They are used in targeted ways.
This tool, like most listening devices, requires some form of breaking and
entering to install, and would be easily detected by mid-level security
efforts. It's cool to get the details, but the headline (and the general tone
of the Wikileaks releases) is scaremongering FUD. The NSA is doing far far
more pervasive and dangerous stuff.

~~~
herewulf
Bad People can do Bad Things with root. News at 11.

------
kirab
I have never seen a command to retrieve _all_ iptables tables or _all_
iptables rules over all tables. What you usually find in documentation is the
following:

    
    
        iptables contains five tables:
        raw is used only for configuring packets so that they are exempt from connection tracking.
        filter is the default table, and is where all the actions typically associated with a firewall take place.
        nat is used for network address translation (e.g. port forwarding).
        mangle is used for specialized packet alterations.
        security is used for Mandatory Access Control networking rules (e.g. SELinux -- see this article for more details).
    
    

My opinion: this is simple but pretty smart at the same time, therefore the
perfect hacker tool. I can't even imagine a single sysadmin who searched for
_additional_ iptables tables before this leak.

To the dismissive people here: as a hacker you don't want complex attacking
tools, they can be found much easier, because all the tools look for complex
attacks (e.g. modified system files).

Hiding this well in plain sight in a place where no one and no tool ever looks
is genius.

~~~
okasaki
ip(6)tables-save

~~~
kirab
I looked into the source code, it uses /proc/net/ip_tables_names to find the
tables

And that tbh doesn't seem very reliable, see what happened on a laptop which
does not use iptables:

    
    
      $ cat /proc/net/ip_tables_names
      cat: /proc/net/ip_tables_names: No such file or directory
      $ iptables -L
      [...]
      $ cat /proc/net/ip_tables_names
      filter
      $ iptables -t nat -L
      [...]
      $ cat /proc/net/ip_tables_names
      nat
      filter
    

This seems to only show loaded/active iptables tables. Which means that a
table may exist but unless it is loaded you will not see it. But of course in
our scenario the CIA would have activated some rules, so this table should
appear there. Unless the CIA was also able to hide the table from that file,
which may well be possible, since the table was added via a root kernel
module...

------
evilDagmar
This particular tool is somewhat unimpressive.

From what's shown in the article it's likely only usable on RedHat-derivatives
(because of the binary-only kernel module). There are already "amateur"
rootkits out there, with what's almost certainly a better feature set.

I am particularly unimpressed with the documentation's suggestion to __rm
__the module afterwards, as the systems in question are extremely likely to
have the _shred_ command installed (which first overwrites the file contents
in-place) which would make it impossible for a quick examiner to simply
undelete the module for analysis.

I think this was some agent's idea of a PoC more than something they expected
to use.

~~~
a3n
Maybe it's part of a "list of things to do first" when a target has been
breached by gaining access. There are mass email-based phishing attacks, there
are spear-phishing attackes, and there are likely procedures to follow when a
specific group's target has given up physical access via root.

As for RH-only, what makes us think that there aren't also Debian and other
similar attacks?

MS-Word is also "somewhat unimpressive," as it's only usable on Windows.

------
kylek
I just like that the tool's name is a reference to Archer

------
jlgaddis
[https://wikileaks.org/vault7/#OutlawCountry](https://wikileaks.org/vault7/#OutlawCountry)

------
akavel
Given that this requires root already, what's the benefit from it being a
kernel module, vs. just running a few iptables commands to add a new rule?

~~~
sikosmurf
It won't show up with a normal `iptables -L`

~~~
jaimex2
yeah, but would light up like a xmas tree on any IDS or packet sniffer.

------
simon_acca
The article claims that the attack is particularly effective on (web) servers.
Wouldn't this type of attack only affect connections that originate _from_ the
affected host though (and not the incoming ones)?

~~~
burnbabyburn
the nat table affects packets originating from the host and ones that are
forwarded

~~~
Godel_unicode
You can absolutely NAT incoming packets using the NAT table. Put the rule into
the PREROUTING chain and only change the port, not the dst IP. This trick is
super useful for docker containers, and to allow unprivileged processes to
listen on privileged ports.

~~~
zAy0LfpBZLC8mAC
It doesn't really make sense to talk about "incoming" packets at that point,
as it is _PRE_ ROUTING, so whether the destination address is local or not,
and thus whether it's an incoming or a forwarded packet, has not been
determined yet, and you can NAT however you like, local address to local
address, local address to remote address, remote address to remote address, or
remote address to local address.

------
macmac
What is the best approach to guarding against crap like this on Linux, Ubuntu
specifically?

~~~
jaimex2
Don't run random scripts basically, always check their content. Specially if
they require root.

~~~
astrodust
Welp, there goes Rubygems and NPM global modules.

~~~
chocolateboy
Neither requires root:

* [https://github.com/creationix/nvm](https://github.com/creationix/nvm)

* [http://kazhack.org/?post/2014/12/11/npm-install-g-without-su...](http://kazhack.org/?post/2014/12/11/npm-install-g-without-sudo)

* [http://kazhack.org/?post/2014/12/12/pip-gem-install-without-...](http://kazhack.org/?post/2014/12/12/pip-gem-install-without-sudo)

~~~
astrodust
You can do it without root if you take precautions, but the default is to use
root.

~~~
chocolateboy
Depends on the system. The default on Arch Linux is local gem installs:

    
    
        $ cat /etc/gemrc
        # --user-install is used to install to $HOME/.gem/ by default since we want to separate
        #                pacman installed gems and gem installed gems
        gem: --user-install

~~~
astrodust
That's a nice touch and some good work on the part of the package maintainer.
Most (Ubuntu, RedHat, etc.) do not, they just expect you to sudo everything.

------
awacs
Never a single leak about Russian spying or intelligence gathering techniques
/ apparatus. Those Russians must be so proper in granting privacy to their
"citizens".

~~~
willstrafach
While the anti-USA slant from WikiLeaks is very overt, I think it has already
been established that Vault 7 is the result of leaked CIA files which continue
to trickle out (More should be expected). There is not likely to be a non-
Vault7 surprise out of the blue.

------
RUTHLESS_RUFUS
Another "timely" delayed FUD release from WikiLeaks.

------
qrbLPHiKpiux
Physical access to the machine is still needed. For 99.99999999 pct of us this
does not matter.

~~~
zimbatm
Why is physical access needed? Any exploit that gives root to the machine
could also be used to install the kernel module.

~~~
willstrafach
You are correct. It is strange to see multiple claims of physical access being
needed.

~~~
omginternets
I think people are assuming that most sysadmins won't enter their sudo
passwords into random prompts (not necessarily a sound assumption). From
there, one easy way to get root that most people understand/know is to have
physical access to the machine.

