Threat Intelligence, Network Security, Vulnerability Management

WikiLeaks latest Vault 7 dump includes CherryBlossom router hacking tool

The June Wikileaks document dump of supposedly pilfered Vault 7 CIA documents includes a multipurpose framework called CherryBlossom designed to crack into routers mostly used in homes, public places and small businesses.

CherryBlossom is installed onto a target router either directly by a person or through a firmware flaw that would allow the hacker to change the firmware, according to Wikileaks. If successfully implanted the malware can give a malicious actor the ability implement a Man-in-the-Middle attack allowing him to interact with or take control of the network it runs.

“CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets [sic]of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals.,” Wikileaks said.

Home routers are particularly vulnerable because most are bought, installed and then never looked at again by the owner, Chris Hinkley, Armor's lead ethical hacker told SC Media.

"Most routers and WiFi access points are neglected so much by users that they are rarely ever patched and updated. In a large number of cases, the default login credentials are never changed. These facts alone make these devices quite vulnerable to attack," he said.

The malicious firmware update creates the following set up on the router. The router becomes a FlyTrap, capable of handling a variety of malicious tasks. The FlyTrap will beacon to its command and control server, dubbed CherryTree. The hacker will then use a browser based administration panel called CherryWeb to control monitor CherryTree's status and send along missions to perform.

Some of these missions could include, WikiLeaks wrote, “scan for email addresses, chat usernames, MAC addresses and VoIP numbers in passing network traffic to trigger additional actions, the copying of the full network traffic of a Target, the redirection of a Target's browser (e.g., to Windex for browser exploitation) or the proxying of a Target's network connections.”

In addition, FlyTrap can setup VPN tunnels to a CherryBlossom-owned VPN server to give an operator access to clients on the Flytrap's WLAN/LAN for further exploitation."

While Wikileaks did not leak the tools the CIA allegedly uses, the current state of router handling across the board allows the CIA and other malicious actors to potentially infiltrate networks in a way that is not much thought about," Hinkley said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.