Skip to main content

Vault 7 - BothanSpy and Gyrfalcon

Following on the series of leaked malware documentation from WikiLeaks, documentation relating to more tools have been released as part of the Vault 7 series. The documents describe BothanSpy and Gyrfalcon.
Threat ID:
CC-1515
Category:
Threat Severity:
Medium
Threat Vector:
Published:
11 July 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Following on the series of leaked malware documentation from WikiLeaks, documentation relating to more tools have been released as part of the Vault 7 series. The documents describe BothanSpy and Gyrfalcon.

Threat details

BothanSpy is described as an implant which targets the popular Microsoft Windows SSH client, Xshell and steals user credentials for all active SSH sessions. The credentials can be either a username and password or a private SSH key (and password, if set).

Gyrfalcon relates to an implant that targets the OpenSSH client in Linux platforms. The implant is able to steal user credentials from active sessions and is also capable of collecting OpenSSH traffic.

The compilation date of the documentations states that it was written in 2015, which suggests newer operating systems could be affected by the implants.

It is believed that in order for these tools to be used, a prior compromise would have had to occurred for the necessary privileges to be gained in order to install the implants. However, if this was achieved, it could have a high impact if credentials or private keys are re-used across several platforms, this could be exploited to perform lateral movement throughout a target network.

The full documentation can be found here: https://wikileaks.org/vault7/#BothanSpy

Remediation steps

Type Step
  • Monitor network and proxy logs for any anomalous behaviour.
  • Consider remotely logging any attempts to access restricted platforms which may highlight suspicious activities.
  • Make sure that users and services are only operating with the required level of privileges.
  • Ensure that strong password and account policies are enforced for all accounts that have access to management interfaces over SSH.

Last edited: 17 February 2020 11:40 am