Last weekend we had a worldwide emergency in the shape of WannaCry ransomware, and this time we have received equally bad news. This time, WikiLeaks has published the report on an exploit that’s being used by the CIA, and that can find its way into pretty much any device with any version of Windows on it. They can even use these exploits to take complete control of the system that they’re targeting.
This CIA project has a codename, Athena, and it can compromise any single version of Windows from XP to Windows 10. Attackers that use it can also deploy even more malware, and gain access to and of the local files, just in case that they wish to drop some of the data on the drives.
WikiLeaks even says that after the installation, malware offers several features, including beaconing capability as well as the ability to load or unload memory of malicious payloads, that’s used for specific tasks. It can also be used to retrieve or even deliver files to or from a specific directory on the system that’s being targeted. The operator can also change settings during the attack so that the malware could be customized to better exploit the situation and adapt itself.
This all means that every Windows system out there is vulnerable to the CIA attack. They can infiltrate any computer, steal data, and upload it to their own servers. This project, Athena, was supposedly created back in August 2015, while the Windows 10 was launched in July 2015. Meaning that the CIA got the exploit needed for infiltration of any Windows system only a month after the last one was launched.
It’s discovered that the malware itself was made by the CIA, and apparently, it was made as a part of the collaboration with a company called Siege Technologies. The company calls itself a cyber security company, and their focus is on the offensive tech used for cyber-wars.
The documentation from the CIA states that Athena was made with the intention to bypass defense systems like the antivirus. There are also references to several popular solutions, that can’t be used to block the exploit.
Athena’s own user manual reveals that the installation is going to hijack the dnscache service and that on Windows 7 and 8, the said service runs by default in a netsvc instance. However, on Windows 8.1, and Windows 10 as well, the service is running as NetworkService, and that its user context has even reduced the security capabilities of these systems. Because of the implementation of the srvhost, this service can only start running as a part of a netsvcs context after the next reboot.
It’s not yet known if the Microsoft has already released a patch for the exploit or not.