Yesterday WikiLeaks released documentation on a CIA hacking tool named Archimedes, a CIA hacking tool that would allow CIA to infect computers on a local network. The tool (formerly named “Fulcrum” according to internal documentation) relies on a technique called ARP spoofing to perform Man in the Middle (MitM) attacks against victims.
Is this a new capability?
Absolutely not. For years, penetration testers have relied on a tool called Ettercap to perform ARP spoofing and do the sort of injection that Archimedes/Fulcrum is performing. Ettercap has since been superseded by Bettercap (which, you guessed it, is a more capable build of Ettercap). Like Archimedes, Ettercap also relies on ARP spoofing. However, it supports a host of different spoofing types while it appears from the documentation that Archimedes only supports HTTP iframe injection. In short, it appears that Archimedes is a field stripped version of Ettercap, a tool that Rendition Infosec has been using in penetration tests for years.
What is ARP spoofing?
ARP stands for Address Resolution Protocol and it is critical to communication on a local area network (LAN). But most of your communications leave the LAN. For instance, when you talk to a web server, the request leaves the LAN via a router, typically called a default gateway. ARP spoofing tools use a compromised machine on the LAN to trick other machines on the same LAN into thinking that it is the default gateway. In this way, the attackers gain a Man in the Middle (MitM) position and can inject malicious content into an otherwise benign webpage.
What can businesses do to protect against ARP spoofing?
First, don’t let attackers join your LAN. This goes for wireless LAN (WLAN) as well as physical LANs. An attacker on your LAN is in a good position to MitM victims on the LAN. It’s not 100% true to say you’ve already lost when an attacker is on the LAN, but it’s certainly not pretty.
For wireless network environments, your only viable option is to monitor for ARP spoofing and take action against the offenders (de-registering them from the network). This is one reason it is critical to keep attackers off the network in the first place. Open WIFI is obviously bad for this (and other reasons).
For wired network environments, perhaps the best security option is to enable port security on your switches if they support it. With port security, you specify the MAC (hardware) addresses that traffic can be sent to on each hardware port. Helpdesk workers tend to hate port security since it increases administrative burden. It also makes it hard for presenters to wire into common areas (such as a conference room for presentations). But port security is easy to implement when combined with network management software, which usually uses SNMP to make configuration changes as needed.
Common use areas where hardware addresses may change (such as presentation rooms), should be placed on their own virtual LAN (VLAN). While hosts on these VLANs are still subject to ARP spoofing, only those hosts on the isolated VLANs are vulnerable (and only while they are connected).
Indicators of Compromise
The leaked documents show a number of file based indicators of compromise (IOCs) for the Archimedes tool. CIA has doubtlessly recompiled the code and changed static filenames so these IOCs are probably only usable for investigating historical compromises. Even if the current Archimedes tool has been changed out, evidence of these rather unique filenames might still exist in the USN Journal or INDX buffer slack*.
*Don’t worry if you don’t understand these terms, they are hints for digital forensics investigators who might come upon this article later.
This leak does not expose any previously unknown capabilities and it is no surprise that any state-sponsored actor would possess an ARP spoofing tool. Rendition Infosec has detailed some simple steps you can take to protect yourself from being impacted by these tools.
If you believe you have been targeted by this (or other) nation state malware, Rendition Infosec’s digital forensics professionals can help uncover the intrusion. If you need help securing your network or investigating a suspected compromise, call Rendition Infosec and we’ll remove any uncertainty about your security posture.