Skip to main content

Chinese Hackers Had Access to a U.S. Hacking Tool Years Before It Was Leaked Online.




On August 13, 2016, a hacking unit calling itself "The Shadow Brokers" announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA).

Although the group has since signed off following the unprecedented disclosures, new "conclusive" evidence unearthed by Check Point Research shows that this was not an isolated incident, and those other threat actors may have had access to some of the same tools before they were published.

The previously undocumented cyber-theft took place more than two years prior to the Shadow Brokers episode, the American-Israeli cybersecurity company said in an exhaustive report published today, resulting in U.S.-developed cyber tools reaching the hands of a Chinese advanced persistent threat which then repurposed them in order to strike American targets.

password auditor
"The caught-in-the-wild exploit of CVE-2017-0005, a zero-day attributed by Microsoft to the Chinese APT31 (aka Zirconium), is in fact a replica of an Equation Group exploit codenamed 'EpMe,'" Check Point researchers Eyal Itkin and Itay Cohen said. "APT31 had access to EpMe's files, both their 32-bits and 64-bits versions, more than two years before the Shadow Brokers leak."

The Equation Group, so-called by researchers from cybersecurity firm Kaspersky in February 2015, has been linked to a string of attacks affecting "tens of thousands of victims" as early as 2001, with some of the registered command-and-control servers dating back to 1996. Kaspersky called the group the "crown creator of cyberespionage."

An Unknown Privilege Escalation Exploit
First revealed in March 2017, CVE-2017-0005 is a security vulnerability in the Windows Win32k component that could potentially allow elevation of privileges (EoP) in systems running Windows XP and up to Windows 8. The flaw was reported to Microsoft by Lockheed Martin's Computer Incident Response Team.

Check Point has named the cloned variant "Jian" after a double-edged straight sword used in China during the last 2,500 years, referencing its origins as an attack tool developed by the Equation Group that was then weaponized to serve as a "double-edged sword" to attack U.S. entities.


Timeline of the events detailing the story of EpMe / Jian / CVE-2017-0005
Jian is said to have been replicated in 2014 and put in operation since at least 2015 until the underlying flaw was patched by Microsoft in 2017.

APT31, a state-sponsored hacking collective, is alleged to conduct reconnaissance operations at the behest of the Chinese Government, specializing in intellectual property theft and credential harvesting, with recent campaigns targeting U.S. election staff with spear-phishing emails containing links that would download a Python-based implant hosted on GitHub, allowing an attacker to upload and download files as well as execute arbitrary commands.


Stating that the DanderSpritz post-exploitation framework contained four different Windows EoP modules, two of which were zero-days at the time of its development in 2013, Check Point said one of the zero-days — dubbed "EpMo" — was silently patched by Microsoft "with no apparent CVE-ID" in May 2017 in response to the Shadow Brokers leak. EpMe was the other zero-day.

DanderSpritz was among the several exploit tools leaked by the Shadow Breakers on April 14, 2017, under a dispatch titled "Lost in Translation." The leak is best known for publishing the EternalBlue exploit that would later power the WannaCry and NotPetya ransomware infections that caused tens of billions of dollars' worth of damage in over 65 countries.

This is the first time a new Equation Group exploit has come to light despite EpMo's source code being publicly accessible on GitHub since the leak almost four years ago.

For its part, EpMo was deployed in machines running Windows 2000 to Windows Server 2008 R2 by exploiting a NULL-Deref vulnerability in Graphics Device Interface's (GDI) User Mode Print Driver (UMPD) component.

Jian and EpMe Overlap
"On top of our analysis of both the Equation Group and APT31 exploits, the EpMe exploit aligns perfectly with the details reported in Microsoft's blog on CVE-2017-0005," the researchers noted. "And if that wasn't enough, the exploit indeed stopped working after Microsoft's March 2017 patch, the patch that addressed the said vulnerability."


Apart from this overlap, both EpMe and Jian have been found to share an identical memory layout and the same hard-coded constants, lending credence to the fact that one of the exploits was most probably copied from the other, or that both parties were inspired by an unknown third-party.

But so far, there are no clues alluding to the latter, the researchers said.

Interestingly, while EpMe didn't support Windows 2000, Check Point's analysis uncovered Jian to have "special cases" for the platform, raising the possibility that APT31 copied the exploit from the Equation Group at some point in 2014, before tweaking it to suit their needs and ultimately deploying the new version against targets, including possibly Lockheed Martin.

Reached for comment, a spokesperson for Lockheed Martin said "our cybersecurity team routinely evaluates third-party software and technologies to identify vulnerabilities and responsibly report them to developers and other interested parties."

Not the First Time
Check Point's findings are not the first time Chinese hackers have purportedly hijacked NSA's arsenal of exploits. In May 2019, Broadcom's Symantec reported that a Chinese hacking group called APT3 (or Buckeye) also had repurposed an NSA-linked backdoor to infiltrate telecom, media, and manufacturing sectors.

But unlike APT31, Symantec's analysis pointed out that the threat actor may have engineered its own version of the tools from artifacts found in captured network communications, potentially as a result of observing an Equation Group attack in action.

That Jian, a zero-day exploit previously attributed to APT31, is actually a cyber offensive tool created by the Equation Group for the same vulnerability signifies the importance of attribution for both strategic and tactical decision making.

"Even though 'Jian' was caught and analyzed by Microsoft at the beginning of 2017, and even though the Shadow Brokers leak exposed Equation Group's tools almost four years ago, there is still a lot one can learn from analyzing these past events," Cohen said.

"The mere fact that an entire exploitation module, containing four different exploits, was just lying around unnoticed for four years on GitHub, teaches us about the enormity of the leak around Equation Group tools."



THN


#osutayusuf

Comments

Post a Comment

Popular posts from this blog

Vurra Constituency MP Adriko Yovan gets six months imprisonment for failing to repay loan.

📸: Hon Adriko Yovan. Story By Andrew Cohen Amvesi. ARUA . Yovan Adriko, the Vurra County Member of Parliament (MP) in Arua district has been committed to six months civil prison for failing to clear debts amounting to shs55,677,400. Adriko was on Thursday evening sent to Arua government prison to serve six months shortly after his arrest at Slumberland hotel in Arua City. MP Adriko warrant of committal judgement debtor to jail. Paul Mawa of T/A Vitality Associates, the court bailiff assigned to arrest the MP, duped him to come and pick some money for a land transaction at Slumberland hotel where he picked him like a baby after a long hunt. Adriko was immediately arraigned before Her Worship Karungi Leo, the Deputy Registrar of Arua High Court who later committed him to imprisonment not exceeding six months. Part of Adriko’s warrant of arrest issued b court Adriko was sent to the coolers for failing to clear shs48m which is the princip
1 comment
Read more

Arrested Arua City Officials Taken to Kampala this Night.

Wednesday 8-November-2023. 📸: The arrest of Arua City Physical Planner Mr Findru Moses on 6-Nov-2023 at around 2pm. 📸: Mr Jobile Cornelius the City Deputy town clerk who was arrested on 7-Nov-2023 at around 4pm. 📸: Mrs Lillian Aleni (in red cloth) and Mr Edoni Benard being handcuffed by police officer on 6-Nov-2023 at around 6pm. The bail that was to be issued last night 8pm 7-Nov-2023 to release the arrested City Deputy town clerk Mr Jobile Cornelius and CFO Mr Sam Adriko over mismanagement of government properties and monies was canceled, and by this time of the night 11pm, highly placed sources leaked that, all the arrested suspects (Mr Findru Moses the Arua City Physical Planner, Mr Jobile Cornelius the Deputy City clerk, Mr Adriko Sam the CFO, Mr Edoni Benard the PDM BOG Chairperson for Pangisa ward and Mrs Lillian Aleni the parish chief for Pangisa ward) are being transported by State House Anti-corruption Unit officers who will soon be reac
Post a Comment
Read more

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nile re
Post a Comment
Read more