Skip to main content

Chinese Hackers Had Access to a U.S. Hacking Tool Years Before It Was Leaked Online.




On August 13, 2016, a hacking unit calling itself "The Shadow Brokers" announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA).

Although the group has since signed off following the unprecedented disclosures, new "conclusive" evidence unearthed by Check Point Research shows that this was not an isolated incident, and those other threat actors may have had access to some of the same tools before they were published.

The previously undocumented cyber-theft took place more than two years prior to the Shadow Brokers episode, the American-Israeli cybersecurity company said in an exhaustive report published today, resulting in U.S.-developed cyber tools reaching the hands of a Chinese advanced persistent threat which then repurposed them in order to strike American targets.

password auditor
"The caught-in-the-wild exploit of CVE-2017-0005, a zero-day attributed by Microsoft to the Chinese APT31 (aka Zirconium), is in fact a replica of an Equation Group exploit codenamed 'EpMe,'" Check Point researchers Eyal Itkin and Itay Cohen said. "APT31 had access to EpMe's files, both their 32-bits and 64-bits versions, more than two years before the Shadow Brokers leak."

The Equation Group, so-called by researchers from cybersecurity firm Kaspersky in February 2015, has been linked to a string of attacks affecting "tens of thousands of victims" as early as 2001, with some of the registered command-and-control servers dating back to 1996. Kaspersky called the group the "crown creator of cyberespionage."

An Unknown Privilege Escalation Exploit
First revealed in March 2017, CVE-2017-0005 is a security vulnerability in the Windows Win32k component that could potentially allow elevation of privileges (EoP) in systems running Windows XP and up to Windows 8. The flaw was reported to Microsoft by Lockheed Martin's Computer Incident Response Team.

Check Point has named the cloned variant "Jian" after a double-edged straight sword used in China during the last 2,500 years, referencing its origins as an attack tool developed by the Equation Group that was then weaponized to serve as a "double-edged sword" to attack U.S. entities.


Timeline of the events detailing the story of EpMe / Jian / CVE-2017-0005
Jian is said to have been replicated in 2014 and put in operation since at least 2015 until the underlying flaw was patched by Microsoft in 2017.

APT31, a state-sponsored hacking collective, is alleged to conduct reconnaissance operations at the behest of the Chinese Government, specializing in intellectual property theft and credential harvesting, with recent campaigns targeting U.S. election staff with spear-phishing emails containing links that would download a Python-based implant hosted on GitHub, allowing an attacker to upload and download files as well as execute arbitrary commands.


Stating that the DanderSpritz post-exploitation framework contained four different Windows EoP modules, two of which were zero-days at the time of its development in 2013, Check Point said one of the zero-days — dubbed "EpMo" — was silently patched by Microsoft "with no apparent CVE-ID" in May 2017 in response to the Shadow Brokers leak. EpMe was the other zero-day.

DanderSpritz was among the several exploit tools leaked by the Shadow Breakers on April 14, 2017, under a dispatch titled "Lost in Translation." The leak is best known for publishing the EternalBlue exploit that would later power the WannaCry and NotPetya ransomware infections that caused tens of billions of dollars' worth of damage in over 65 countries.

This is the first time a new Equation Group exploit has come to light despite EpMo's source code being publicly accessible on GitHub since the leak almost four years ago.

For its part, EpMo was deployed in machines running Windows 2000 to Windows Server 2008 R2 by exploiting a NULL-Deref vulnerability in Graphics Device Interface's (GDI) User Mode Print Driver (UMPD) component.

Jian and EpMe Overlap
"On top of our analysis of both the Equation Group and APT31 exploits, the EpMe exploit aligns perfectly with the details reported in Microsoft's blog on CVE-2017-0005," the researchers noted. "And if that wasn't enough, the exploit indeed stopped working after Microsoft's March 2017 patch, the patch that addressed the said vulnerability."


Apart from this overlap, both EpMe and Jian have been found to share an identical memory layout and the same hard-coded constants, lending credence to the fact that one of the exploits was most probably copied from the other, or that both parties were inspired by an unknown third-party.

But so far, there are no clues alluding to the latter, the researchers said.

Interestingly, while EpMe didn't support Windows 2000, Check Point's analysis uncovered Jian to have "special cases" for the platform, raising the possibility that APT31 copied the exploit from the Equation Group at some point in 2014, before tweaking it to suit their needs and ultimately deploying the new version against targets, including possibly Lockheed Martin.

Reached for comment, a spokesperson for Lockheed Martin said "our cybersecurity team routinely evaluates third-party software and technologies to identify vulnerabilities and responsibly report them to developers and other interested parties."

Not the First Time
Check Point's findings are not the first time Chinese hackers have purportedly hijacked NSA's arsenal of exploits. In May 2019, Broadcom's Symantec reported that a Chinese hacking group called APT3 (or Buckeye) also had repurposed an NSA-linked backdoor to infiltrate telecom, media, and manufacturing sectors.

But unlike APT31, Symantec's analysis pointed out that the threat actor may have engineered its own version of the tools from artifacts found in captured network communications, potentially as a result of observing an Equation Group attack in action.

That Jian, a zero-day exploit previously attributed to APT31, is actually a cyber offensive tool created by the Equation Group for the same vulnerability signifies the importance of attribution for both strategic and tactical decision making.

"Even though 'Jian' was caught and analyzed by Microsoft at the beginning of 2017, and even though the Shadow Brokers leak exposed Equation Group's tools almost four years ago, there is still a lot one can learn from analyzing these past events," Cohen said.

"The mere fact that an entire exploitation module, containing four different exploits, was just lying around unnoticed for four years on GitHub, teaches us about the enormity of the leak around Equation Group tools."



THN


#osutayusuf

Comments

Popular posts from this blog

Escaped Murder Suspect Finally Arrested in Yumbe Regional Referral Hospital, Yumbe District.

Story by Osuta Yusuf. 19-November-2024. 📸: Eyotre Kennedy handcuffed on bed while receiving medication this morning at Yumbe Regional Referral Hospital in Yumbe District. Eyotre Kennedy originating from Etoko village, Nyoroo Parish, Nyadri Sub-county in Maracha District who has for many years been terrorizing residents in his village, has finally been arrested this Monday morning 19-November-2024 while receiving treatment at Yumbe Regional Referral Hospital in Yumbe District following injuries he sustained from Theft mission on Saturday night 16-November-2024 in Owapi village, Azapi parish in Odupi Sub-county, Terego East Constituency in Terego District. Click here on the link  https://informationispowah.blogspot.com/2024/11/fugitive-who-chopped-3-people-killed.html   to read the story on his Theft of Goats in Terego. Upon getting cut on the finger and leg by the Mob as he attempted to fight and overpower owner of the goats he attempted to steal on Saturday night ...

41-Years-Old Man Digs His Own Grave in Maracha District.

Story by Osuta Yusuf.  Maracha District.  📸: The grave been dug by Mr Opiga Michael, a victim of frustration. Photo taken by Osuta Yusuf , on Wednesday 11-September-2024. The residents of Ebapi village, Baria Parish in Nyadri Sub-county, Maracha east constituency, Maracha District are in shock after a 41 year old man started digging his own grave. The man, identified as Mr Opiga Michael, who seems to be frustrated over some challenges in life, started digging his own grave on Tuesday 10-September-2024 until he was stopped by the elders in Nyaria clan. 📸: Opiga Michael, the Victim of Frustration. Photo by Osuta Yusuf , Information is Power. While speaking to our reporter on Wednesday evening 11-September-2024, Mr Opiga Michael, said, his main plan  was to commit suicide after finishing digging the grave for burying himself, explained that, he feels frustrated, abandoned and hated by his own clan people, whom he accused of piling lies against him a...

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nil...