Wikileaks — an independent non-profit organization that has actively been publishing news, classified information provided by whistle blowers and anonymous sources has disclosed a CIA project called ‘Cherry Blossom’. It’s a tool that is based on the concept of ‘Man-in-the-Middle’ attacks which basically involves relaying, controlling and manipulating communication between two entities. The tool Cherry Blossom provides a platform for its users to create an opportunities to snoop into wireless networking devices and then perform surveillance activities there on. As per the leaks, the tool was developed and implemented by the CIA in close collaboration with a US non-profit organization ‘Standford Research institute’.
Cherry Blossom, has the capability to achieve the goal of compromising routers developed by approximately 20 vendors amounting to a whooping 200 WiFi models. Apart from hooking up and compromising various routers used in houses and offices, CherryBlossom also has been designed to achieve similar objectives in context to Wireless Access points. Some of the router models and wireless access points for which Cherry Blossom has already been used against are:
- 3Com
- Accton
- Cisco
- Ambit
- AMIT
- Asus
- Apple
- Breezecom
- D-Link
- Gemtek
- Global Sun
- Linksys
- Orinoco
- Planet Tec
- Senao
- US Robotics
- Z-Com
About Component of CherryBlossom Called ‘Flytrap’ & Deployment Methods
As described in the leaked documents the core component or the main component of CherryBlossom is Flytrap. This component is essentially a customized version of the router or AP’s firmware and is replaced with the original firmware of the router /AP. Most of the routers or AP’s has the capability to upgrade its firmware while being connected to the internet, hence the infection is deployed on the target device remotely.
As per the terminology used in the leaked document, as soon as the customized firmware is installed in the router, the targeted router or access point turns into a ‘FlyTrap’.
There is more than one method to deploy CherryBlosson firmware on a targeted device and convert it into a FlyTrap.
Method 1: In this method a tool called claymore is used to send an online update to the targeted device. The update in this case has the customized Cherryblosson firmware which turns the targeted device to a FlyTrap.
Method 2: This method basically involves knowing the wireless security credentials and the password of the targeted device. Once this information is known the implant is sent and installed to the targeted device’s firmware upgrade functionality.
Method 3: In this method the implant is deployed through the supply chain. This method is usually followed in cases where the targeted router or wireless access point does not have the capability to initiate a wireless firmware update.
What Happens After the Implant is Deployed in the Targeted Device?
Once the firmware is deployed to the targeted device it will then change the targeted device to a FlyTrap (a term used by the creators of CherryBlossom for the targeted device after the implant is deployed). The FlyTrap then beacons over the internet and connects automatically to a command and control (C&C) server. This C&C server is also called the CherryTree and performs the function of flashing the security information and other details related to the targeted device on a web browser interface called the ‘CherryWeb’.
After the router is infected it becomes an easy task for the malicious actor to scan for email addresses, chat usernames, MAC addresses and VoIP numbers in passing network traffic to trigger additional actions. Apart from these tasks, one can also copy the network traffic and redirect the user to a malicious website to carry on further attacks.
For your cybersecurity need, get in touch with us.