Vault 7 from WikiLeaks is stirring controversy once again. This time, a document has been leaked from the CIA with technical details on Linux malware they may have developed. The CIA document is dated 5 June 2015, and names the malware OutlawCountry.
Here are details from the document.
-
OutlawCountry contains a kernel module that creates a hidden netfilter table.
-
One kernel module specifically targets CentOS and Red Hat Enterprise Linux 6.
-
An attacker who uses OutlawCountry must have shell access to their target.
-
The purpose of the hidden netfilter table is to allow new rules to be created with the iptables command.
"OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for exfiltration and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target. With knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from a user or even system administrator," WikiLeaks wrote on their blog.
Although the document states that an attacker needs shell access to their target, it's unclear as to how an attacker is supposed to acquire access. OutlawCountry also requires root privileges.
Although only a fraction of client PCs run Linux operating systems, a large percentage of servers run Linux, including distributions such as Red Hat and CentOS. Red Hat Enterprise Linux is CentOS's upstream source, so it makes sense that the same vulnerability can exist in both operating systems. OutlawCountry's network traffic redirection feature suggests the malware could target servers which operate internet functions, such as web servers.
WikiLeaks' Vault 7 documents have been published since 7 March 2017, and consist of leaks from the CIA. The Vault 7 post which revealed the OutlawCountry document is dated 29 June 2017.