According to new documents published by WikiLeaks, the United States’ Central Intelligence Agency (CIA) has been building and maintaining a host of tools to access the networked activities of organisations America wishes to track. WikiLeaks has published new documents describing a program called Cherry Blossom.
Router is the front gate of every network connected to Internet. Even if there is a Firewall at the gateway, if the router gets compromised, it opens a window in that network to monitor all the activity happening in that network. Generally, in an organisation, routers are devices the least taken care of, and they are rarely updated to current firmware. This creates a big loophole and a high possibility of its security being compromised from outside. An outsider can thus get an access to all the activities of the organisation that are networked.
Cherry Blossom is capable of performing exploits in software and monitoring Internet activities of the target such as the activities that transmit through commonly used Wi-Fi devices in private and public places. The victims are mostly small and medium-sized companies as well as enterprise offices.
The program uses a modified version of a given router’s firmware to turn it into a surveillance tool. Once in place, Cherry Blossom lets a remote agent monitor the target’s internet traffic, scan for useful information like passwords and even redirect the target to the desired website.
Cherry Blossom compromises the wireless devices using Man-in-the-Middle attack to monitor, control and manipulate the Internet traffic of connected users. Once the devices have been infected successfully, this tool can inject the malicious content via streaming to exploit the vulnerabilities in the target.
When the malicious program has compromised the target, the router access point will get compromised, too. It will communicate over the Internet to a command-and-control server referred to as the Cherry Tree.
According to a secret document of the CIA, the key element of the Cherry Blossom system is the implanted device called Flytrap. It acts as a wireless access point (AP), router, or another device that has been implanted with Cherry Blossom firmware. Flytraps execute missions to detect and exploit targets.
Cherry Blossom is another skeleton tumbling out of CIA’s closet. It was designed for numerous devices including wireless routers from Cisco, D-Link, Belkin and Linksys. A complete list of affected models can be found here.
Cherry Blossom firmware can be installed on devices even without physical access to them. It can run undetected in the same environment, giving complete control and access to all the activities happening in the targeted organisation to the exploiter.
To be safe, organisations should keep their routers’ firmware updated, always behind a Firewall. All the ports that are of no use in the organisation should be blocked. External traffic should be monitored and rules should be set accordingly.