Sunday, February 5, 2023

CIA’s ‘Brutal Kangaroo’ Toolkit Infects Machines Disconnected From the Internet

CIA’s ‘Brutal Kangaroo’ Toolkit Infects Machines Disconnected From the Internet

Wikileaks yesterday published more user manuals describing a CIA-designed suite of Windows-based malware. The tools, called “Brutal Kangaroo”, can even infiltrate closed networks or individual machines that are disconnected from the Internet.

Also read: Linksys Tells Customers How to Remove CIA Surveillance Tools

Air-Gapped Machines Can Still Be Compromised

Air-gapped computers, i.e., devices that have been isolated from the Internet or other unsecured public networks for the duration of their existence, have long represented the maximum amount of protection for security-minded individuals and organizations who routinely work with classified information. An air-gapped device is challenging to maintain and operate, and is therefore a natural target for attackers — its nature virtually guarantees it contains valuable data.

Because air-gapped machines are never connected to the Internet, thumbdrives and other removable media are the primary method for transferring data to and from these machines. Typically, data that is available on an air-gapped machine is copied and then viewed by other users within the confines of a private network.

Infections via USB Thumbdrives

The CIA user manual explains that the Brutal Kangaroo program has several components, describes some sample configurations, and even shares a handful of “pro tips” for optimal usage.

Thumb Drive CIA Brutal Kangaroo MalwareThe primary delivery mechanism is Drifting Deadline, a tool that infects a machine by inserting a USB thumbdrive. While most traditional malware must be clicked or executed in some way in order to trigger their routines, a thumbdrive that is carrying Drifting Deadline only needs to be viewed in Windows Explorer for the infection to passed on to the machine viewing it. It exhibits some similarities with an older worm, Stuxnet, which was noteworthy for damaging the Iranian nuclear program in 2010.

With Drifting Deadline installed on the target machine, Broken Promise begins to collect and evaluate information on the drive. Shadow distributes itself and its sibling modules to any other machine and any other thumbdrive that interacts with the host.

Eventually, one of these devices will have access to an Internet connection, and that is when Brutal Kangaroo will attempt to exfiltrate its stolen data. The malware is designed to continue replicating itself and record information on as many devices as it can, in order to increase the likelihood of that happening.

More CIA Hacking News to Come From Vault 7

The Brutal Kangaroo documents are the 12th release from Wikileaks’ Vault 7 project, a series of some 8,000 leaked files which it describes as the “largest ever publication of confidential documents on the [CIA].”

The majority of the documents pertain to cyber attack tools designed or employed by the CIA, with an aggregate codebase that rivals the size of that used to run Facebook. The malware include ways to infiltrate and spy on everything from Apple iPhones to Samsung Smart TVs, and the project is so large that Wikileaks notes that there are “considerably more stories than there are journalists or academics who are in a position to write them.”

Do the CIA’s hacking tools actually keep us safe? Let’s hear your thoughts.

Images via Wikileaks, Pixabay

Bitsonline Email Newsletter