Ready to Start Your Career?

UNM4SK3D: CIA, Google Play, and PlayStation

Olivia 's profile image

By: Olivia

August 25, 2017



The floodgates that are Wikileaks have yet to close. Another week has passed with yet another leak, the latest dubbed 'ExpressLane,' a tool which allows the CIA to spy on intelligence agencies such as the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS) and National Security Agency (NSA) while secretly collecting data from their systems. Using a biometric collection system which includes predefined hardware, operating system, and software, the agencies are able to voluntarily share collected biometric data on their systems with one another. That data of course, is selective. So, the Office of Technical Services (OTS) within CIA developed a tool to secretly exfiltrate all data collections from other agency systems. Installed manually as a part of the biometric system routine upgrade, ExpressLane "will overtly appear to be just another part of this system. It’s called: MOBSLangSvc.exe and is stored in \Windows\System32." The OTS officers, who maintain biometric collection systems installed at liaison services, visit their premises and install the secret ExpressLane Trojan while displaying an "upgrade Installation screen with a progress bar that appears to be upgrading the biometric software."Once installed, ExpressLane will collect the desired files from the liaison system and store them encrypted in the "covert partition on a specially watermarked thumb drive when it is inserted into the system." The latest version ExpressLane 3.1.1  removes itself after six months by default, in an attempt to remain undetected. ExpressLane uses two components in order to function- 'Create Partition,' which is a utility that provides agents the ability to create a covert partition on the target system where the collected information will be stored and 'Exit Ramp,' which provides agents access to the data stored in the hidden partition using a thumb drive when they revisit. This software system was designed similarly to software from Cross Match, a US company specialized in biometric software for law enforcement and the intelligence community, previously used to "identify Osama bin Laden during the assassination operation in Pakistan."
'ExpressLane' is installed and run with the cover of upgrading the biometric software by OTS agents that visit the liaison sites. Liaison officers overseeing this procedure will remain unsuspicious, as the data exfiltration disguises behind a Windows installation splash screen. -Wikileaks
For details on the previous Vault 7 leak, read this edition of 'UNM4SK3D.' 


Despite the buzz surrounding the launch of Android Oreo, Google had to remove over 500 apps from the Google Play Store after researchers discovered those apps were infected with a malicious ad library that secretly distributes spyware to users.Collectively, the infected apps have been downloaded more than 100 million times and range from teen gaming apps (which had the most downloads) to weather apps, radio apps, photo editing apps and travel apps. All of the infected apps were found to have a software development kit (SDK) called Igexin. "The Igexin SDK was designed for app developers to serve targeted advertisements to its users and generate revenue. To do so, the SDK also collects user data to help target interest-based ads. But besides collecting user data, Lookout researchers said they found the SDK behaved maliciously after they spotted several Igexin-integrated apps communicating with malicious IP addresses that deliver malware to devices unbeknownst to the creators of apps utilizing it."When the malware is delivered to infected devices, the SDK gathers logs of user information from their device, and has the ability to remotely install other plugins to the devices, which could "record call logs or reveal information about users activities." According to Lookout, a mobile security firm, the apps themselves aren’t malicious. Researchers stressed the likelihood that many app developers were aware of the personal information that could be taken from their customers’ devices as a result of embedding Igexin’s ad SDK. Additionally, their research showed not all versions of the Igexin ad SDK deliver malicious functionality. Google has removed all the infected Android apps from the Play Store, but those who have already downloaded any of the apps should download Google Play Protect.
We observed an app downloading large, encrypted files after making a series of initial requests to a REST API at https://sdk[.]open[.]phone[.], which is an endpoint used by the Igexin ad SDK. This sort of traffic is often the result of malware that downloads and executes code after an initially 'clean' app is installed, in order to evade detection. -Lookout researcher
In a similar scenario, Security researchers at Sophos identified the adware library as Android XavirAd and its information-stealing component as Andr/Infostl-BK. read the full details in this post from Tripwire.


OurMine, the infamous Saudi Arabian hacking group, recently overtook the official Twitter and Facebook accounts for Sony's PlayStation Network (PSN) claiming they had access to database information. This comes a week after the same group overtook HBO's social media. For those unfamiliar with PlayStation Network, it's the online service that powers Sony's digital storefront and all online gaming on the PS4. In a series of tweets and Facebook posts, OurMine encouraged Sony to contact them through their website to buy their security service. Despite OurMine calling themselves a 'security group,' its official website describes the group as "an elite hacker group known for many hacks showing vulnerabilities in major systems." In the past, OurMine has overtaken other social accounts as a demonstration of their power without taking further malicious action.Sony quickly deleted the OurMine posts and retook the accounts, but has yet to comment. The sensitivity from Sony comes after a massive data breach suffered in 2011, which gained much media attention, when the PlayStation hack "exposed the personal details of the entire PSN user base (over 77 Million at the time), including users names, date of births, email addresses, and credit card details." At this time, it is not confirmed whether or not the group has access to PSN's database.
We got only registration info [usernames, names, emails, etc.]. No, we are not going to release it. We are a security group; we will only send it to Sony to prove it. And no, Sony haven't contact us yet. -OurMine to Business Insider
OurMine has been busy on social media lately. Get details of the HBO social hack by reading this previous 'UNM4SK3D.' 


Starting next week, Cybrary will offer The Storm Mobile Security Toolkit. Storm is a fully-loaded penetration testing platform equipped with a customized distro of Kali Linux that allows you to complete your ethical hacking training on-the-go.Complete with a versatile Raspberry Pi-based, touchscreen, and a tailor-made system from EC Council, this piece of hardware is the next generation of practical training. Accessed completely through your device, the Storm platform allows to conduct wireless hacking, wired hacking, and RF hacking.Check the Cybrary catalog next week for details and to purchase!


The 2017 Password Power Rankings from Dashlane found that that almost half (46%) of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. GoDaddy, Stripe, and QuickBooks lead with the best password policies. olivia2Olivia Lynch (@Cybrary_Olivia) is the Marketing & Communications Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.
Schedule Demo