New CIA 'Vault 7' leaks detail 'Achilles' and 'SeaPea' vulnerabilities for Snow Leopard, L...

Posted:
in macOS
The latest WikiLeaks "Vault 7" data dump demonstrates a pair of exploits developed in 2011 for Apple's Snow Leopard and Lion operating systems, that still require root access to install.




The latest data purloined by WikiLeaks from the U.S. CIA's "Imperial" project actually shows workable exploits against older versions of Apple's Mac operating systems. The first detailed package, named "Achilles," was developed by the agency on July 15 2011 for use against Snow Leopard systems. It was created to be inserted into a legitimate disk image, and install at the same time as the legitimate application on the image.

The user will still need to authorize credentials for the package to install. Should the target have run any checksums against the disk image, they would fail. Additionally, if the original disk image had an associated user agreement, it would not pop up in the version with the trojan.

More information is available about the "SeaPea" launcher, even though the leaked document is apparently the original draft. Where "Imperial" was a vector to install an undefined payload, "SeaPea" works on Snow Leopard or Lion, and contains executable hiding features, as well as a way to reduce its footprint to traffic monitoring applications.

Based on the detail provided by the leaked document, dated July 8, 2011, "SeaPea" is a much more mature tool. However, rather than hiding in an executable, "SeaPea" appears to require installers to have physical access to the computer itself, or the ability to remotely execute a Python script plus root access.

Mac OS X 10.6 Snow Leopard was released on August 28, 2009, and last updated on July 25, 2011 -- about the same time as the "Achilles" data was updated.

Puzzlingly, Mac OS X 10.7 Lion was released on July 20, 2011, after the "SeaPea" document was crafted. The last update for Lion was made on October 4, 2012.

Thursday's leak does not contain any record of successful exploits undertaken with the tool, but the targeting necessary, or physical access to a device required limit wide-scale use of the exploits.

On March 7, 8,761 files were released by WikiLeaks alleging that the U.S. Central Intelligence Agency has a dedicated iOS, Windows, and Android exploit team, and failed to keep the attack vectors under lock and key. Later on Tuesday, Apple noted that "many" of the attacks had already been dealt with in the course of updating iOS.

A closer look at the Apple exploits following initial release showed a great deal of effort put into attacking Apple gear, but found what had been disclosed at that point to be rudimentary, non-functional, or proof-of-concept only. The releases on Thursday are the first evidence that the CIA had functional tools to use against Apple hardware owners.

Comments

  • Reply 1 of 13
    sflocalsflocal Posts: 6,136member
    Snow Leopard and Lion?  So how many users does that include?  Two?

    I'm sure there are countless of folks, both government and individuals attempting to get into MacOS as easily as Windows.  Keep at it.  I'll trust Apple to keep my system more secure than Windows.
    dementuschikanlkruppmagman1979jony0lostkiwicornchip
  • Reply 2 of 13
    tipootipoo Posts: 1,158member
    Interesting. Question is, if Apple will follow what Microsoft did patching XP, with much more recent OSs like Snow Leopard which stopped getting other security patches a while back. 
  • Reply 3 of 13
    SoliSoli Posts: 10,038member
    sflocal said:
    Snow Leopard and Lion?  So how many users does that include?  Two?

    I'm sure there are countless of folks, both government and individuals attempting to get into MacOS as easily as Windows.  Keep at it.  I'll trust Apple to keep my system more secure than Windows.
    Considering it was released in 2011 and Lion was replaced until 2012, I'd say that makes the information relevant. The assumption that because you don't run Lion today that it means it wasn't an issue when you did, or that there aren't other exploits in use today that we'll find out years from now means you're missing the point.
    cornchippropodsmaffei
  • Reply 4 of 13
    rob53rob53 Posts: 3,308member
    "still require root access to install." In other words, it's not really a vulnerability, it's simply a malware program that could be required through a phishing attack. I don't see this as being a big deal until I see the way this package was intended to be delivered. It doesn't matter what OS version it was written for, all that matters is how the CIA intended on getting root access to the Mac. We've had to deal with this type of malware being delivered by Norton, Adobe, Microsoft and many others using "official" install packages.
    magman1979jony0cornchip
  • Reply 5 of 13
    I still use 10.6 on 2006 iMac and 2009 MacBook Pro. "Mac OS X 10.6 Snow Leopard was released on August 28, 2009, and last updated on July 25, 2011 —about the same time as the "Achilles" data was updated." I think there were one or two updates since then, one to add App Store, and another a few years ago to address some critical flaw.
  • Reply 6 of 13
    lkrupplkrupp Posts: 10,557member
    sflocal said:
    Snow Leopard and Lion?  So how many users does that include?  Two?

    I'm sure there are countless of folks, both government and individuals attempting to get into MacOS as easily as Windows.  Keep at it.  I'll trust Apple to keep my system more secure than Windows.
    Don't laugh. People still ask questions in the OS 9 forum of Apple Discussions.
    edited July 2017
  • Reply 7 of 13
    sflocal said:
    Snow Leopard and Lion?  So how many users does that include?  Two?

    I'm sure there are countless of folks, both government and individuals attempting to get into MacOS as easily as Windows.  Keep at it.  I'll trust Apple to keep my system more secure than Windows.
    It's likely more than you would expect, even when discounting your "Two?" as a joke.  Go into an Apple Store sometime and ask how many times they get people asking to do a Data Migration from Snow Leopard or how often they're asked to erase a computer and reinstall SL.  It's not that uncommon.
  • Reply 8 of 13
    Mike WuertheleMike Wuerthele Posts: 6,928administrator
    I still use 10.6 on 2006 iMac and 2009 MacBook Pro. "Mac OS X 10.6 Snow Leopard was released on August 28, 2009, and last updated on July 25, 2011 —about the same time as the "Achilles" data was updated." I think there were one or two updates since then, one to add App Store, and another a few years ago to address some critical flaw.
    One to add the app store, and the other to update certificates so software would keep working.

    There have been no meaningful security patches for half a decade.
    king editor the grate
  • Reply 9 of 13
    MisterKitMisterKit Posts: 514member
    There are a lot of still well functioning Macs who's EOL OS was Snow Leopard. I keep one alive to load in some older Logic files and use some audio interfaces which never received updated drivers.
  • Reply 10 of 13
    smaffeismaffei Posts: 237member
    rob53 said:
    "still require root access to install." In other words, it's not really a vulnerability, it's simply a malware program that could be required through a phishing attack. I don't see this as being a big deal until I see the way this package was intended to be delivered. It doesn't matter what OS version it was written for, all that matters is how the CIA intended on getting root access to the Mac. We've had to deal with this type of malware being delivered by Norton, Adobe, Microsoft and many others using "official" install packages.
    The point of the article was the CIA was modifying installers of software to trick targets to giving access (admin may be enough, a lot of times people confuse this with "root") to install the hack. It has been documented that the CIA / NSA have actually grabbed computers before they reached customers and installed things on them. So, it's not a far stretch that they've altered software packages people have bought too and re-shrinkwrapped them.
  • Reply 11 of 13
    One to add the app store, and the other to update certificates so software would keep working.

    There have been no meaningful security patches for half a decade.
    Ah, yes, the certificates! I consider software not working a critical flaw, so that's what I was thinking of. Thanks!
  • Reply 12 of 13
    teknishnteknishn Posts: 38member
    rob53 said:
    "still require root access to install." In other words, it's not really a vulnerability, it's simply a malware program that could be required through a phishing attack. I don't see this as being a big deal until I see the way this package was intended to be delivered. It doesn't matter what OS version it was written for, all that matters is how the CIA intended on getting root access to the Mac. We've had to deal with this type of malware being delivered by Norton, Adobe, Microsoft and many others using "official" install packages.
    This exactly.  With root access there are endless options to do no good.  You don't need a vulnerability to compromise a system if you have root access.
    edited July 2017
  • Reply 13 of 13
    Folks, it's all about the SYNC SERVICES....check out your brand new apple product's system report...there's a good chance it's got something to say in the Sync Services Summary, and don't be shocked if that dang thing ain't syncing with a box running 10.6 somewhere LOL

Sign In or Register to comment.