This is not surprising or even interesting. The headline in particular is overblown. It's the equivalent of "CIA Targeting French Speakers with Audio Listening Devices". Not only is that painfully obvious and well-known, but it's also far too weirdly specific. Yes, the CIA has tools for spying. That's their job. The tools vary in sophistication. They are used in targeted ways. This tool, like most listening devices, requires some form of breaking and entering to install, and would be easily detected by mid-level security efforts. It's cool to get the details, but the headline (and the general tone of the Wikileaks releases) is scaremongering FUD. The NSA is doing far far more pervasive and dangerous stuff.
I have never seen a command to retrieve all iptables tables or all iptables rules over all tables. What you usually find in documentation is the following:
iptables contains five tables:
raw is used only for configuring packets so that they are exempt from connection tracking.
filter is the default table, and is where all the actions typically associated with a firewall take place.
nat is used for network address translation (e.g. port forwarding).
mangle is used for specialized packet alterations.
security is used for Mandatory Access Control networking rules (e.g. SELinux -- see this article for more details).
My opinion: this is simple but pretty smart at the same time, therefore the perfect hacker tool. I can't even imagine a single sysadmin who searched for additional iptables tables before this leak.
To the dismissive people here: as a hacker you don't want complex attacking tools, they can be found much easier, because all the tools look for complex attacks (e.g. modified system files).
Hiding this well in plain sight in a place where no one and no tool ever looks is genius.
I looked into the source code, it uses /proc/net/ip_tables_names to find the tables
And that tbh doesn't seem very reliable, see what happened on a laptop which does not use iptables:
$ cat /proc/net/ip_tables_names
cat: /proc/net/ip_tables_names: No such file or directory
$ iptables -L
[...]
$ cat /proc/net/ip_tables_names
filter
$ iptables -t nat -L
[...]
$ cat /proc/net/ip_tables_names
nat
filter
This seems to only show loaded/active iptables tables. Which means that a table may exist but unless it is loaded you will not see it. But of course in our scenario the CIA would have activated some rules, so this table should appear there. Unless the CIA was also able to hide the table from that file, which may well be possible, since the table was added via a root kernel module...
The post further down there says that additional tables can only be created via the kernel, so if you're really creating additional tables could you please share your commands for doing so?
From what's shown in the article it's likely only usable on RedHat-derivatives (because of the binary-only kernel module). There are already "amateur" rootkits out there, with what's almost certainly a better feature set.
I am particularly unimpressed with the documentation's suggestion to rm the module afterwards, as the systems in question are extremely likely to have the shred command installed (which first overwrites the file contents in-place) which would make it impossible for a quick examiner to simply undelete the module for analysis.
I think this was some agent's idea of a PoC more than something they expected to use.
Maybe it's part of a "list of things to do first" when a target has been breached by gaining access. There are mass email-based phishing attacks, there are spear-phishing attackes, and there are likely procedures to follow when a specific group's target has given up physical access via root.
As for RH-only, what makes us think that there aren't also Debian and other similar attacks?
MS-Word is also "somewhat unimpressive," as it's only usable on Windows.
It looks a lot like a basic intern project, as it does technically serve a purpose yet does not use any vulnerabilities or contain anything particularly novel for that matter.
Shred doesn't work as intended on modern filesystems and storage devices. Its only really useful for priming a new drive with random data because its PRNG is faster than dev/random.
The article claims that the attack is particularly effective on (web) servers.
Wouldn't this type of attack only affect connections that originate from the affected host though (and not the incoming ones)?
You can absolutely NAT incoming packets using the NAT table. Put the rule into the PREROUTING chain and only change the port, not the dst IP. This trick is super useful for docker containers, and to allow unprivileged processes to listen on privileged ports.
It doesn't really make sense to talk about "incoming" packets at that point, as it is PREROUTING, so whether the destination address is local or not, and thus whether it's an incoming or a forwarded packet, has not been determined yet, and you can NAT however you like, local address to local address, local address to remote address, remote address to remote address, or remote address to local address.
Depends on the system. The default on Arch Linux is local gem installs:
$ cat /etc/gemrc
# --user-install is used to install to $HOME/.gem/ by default since we want to separate
# pacman installed gems and gem installed gems
gem: --user-install
That's a nice touch and some good work on the part of the package maintainer. Most (Ubuntu, RedHat, etc.) do not, they just expect you to sudo everything.
well, as the article states, this attack needs elevated rights on your machine anyway. so to install that, you need to be pwned in the first place.
and (also stated) you better hope that all admins of all websites/services you use take care about this, too, since they're the real juicy targets...
Disclaimer: I'm a casual Linux user, not an experienced system administrator.
My understanding is that ufw uses iptables under the hood. I use ufw, yet my laptop (casual user) has iptables; don't know whether it was installed as a result of installing ufw, or if it's there by default.
Regardless of using iptables or ufw, these are both for manipulating the lower level kernel network firewall. And the article shows using iptables to load an nf kernel module. (I think) it's the module that's important, and iptables is just the convenience function to get it done.
Anyone who has root access could easily install and uninstall iptables, or use some other method of module installation.
Never a single leak about Russian spying or intelligence gathering techniques / apparatus. Those Russians must be so proper in granting privacy to their "citizens".
While the anti-USA slant from WikiLeaks is very overt, I think it has already been established that Vault 7 is the result of leaked CIA files which continue to trickle out (More should be expected). There is not likely to be a non-Vault7 surprise out of the blue.
I think people are assuming that most sysadmins won't enter their sudo passwords into random prompts (not necessarily a sound assumption). From there, one easy way to get root that most people understand/know is to have physical access to the machine.
Probably young linux enthusiast Billy, who switched from windows a week ago because a friend installed him ubuntu, he went into some random internet forum and copy pasted a bunch of commands on the little black(or redish?) and white screen to improve "performance"
