Skip to main content

Chinese Hackers Had Access to a U.S. Hacking Tool Years Before It Was Leaked Online.




On August 13, 2016, a hacking unit calling itself "The Shadow Brokers" announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA).

Although the group has since signed off following the unprecedented disclosures, new "conclusive" evidence unearthed by Check Point Research shows that this was not an isolated incident, and those other threat actors may have had access to some of the same tools before they were published.

The previously undocumented cyber-theft took place more than two years prior to the Shadow Brokers episode, the American-Israeli cybersecurity company said in an exhaustive report published today, resulting in U.S.-developed cyber tools reaching the hands of a Chinese advanced persistent threat which then repurposed them in order to strike American targets.

password auditor
"The caught-in-the-wild exploit of CVE-2017-0005, a zero-day attributed by Microsoft to the Chinese APT31 (aka Zirconium), is in fact a replica of an Equation Group exploit codenamed 'EpMe,'" Check Point researchers Eyal Itkin and Itay Cohen said. "APT31 had access to EpMe's files, both their 32-bits and 64-bits versions, more than two years before the Shadow Brokers leak."

The Equation Group, so-called by researchers from cybersecurity firm Kaspersky in February 2015, has been linked to a string of attacks affecting "tens of thousands of victims" as early as 2001, with some of the registered command-and-control servers dating back to 1996. Kaspersky called the group the "crown creator of cyberespionage."

An Unknown Privilege Escalation Exploit
First revealed in March 2017, CVE-2017-0005 is a security vulnerability in the Windows Win32k component that could potentially allow elevation of privileges (EoP) in systems running Windows XP and up to Windows 8. The flaw was reported to Microsoft by Lockheed Martin's Computer Incident Response Team.

Check Point has named the cloned variant "Jian" after a double-edged straight sword used in China during the last 2,500 years, referencing its origins as an attack tool developed by the Equation Group that was then weaponized to serve as a "double-edged sword" to attack U.S. entities.


Timeline of the events detailing the story of EpMe / Jian / CVE-2017-0005
Jian is said to have been replicated in 2014 and put in operation since at least 2015 until the underlying flaw was patched by Microsoft in 2017.

APT31, a state-sponsored hacking collective, is alleged to conduct reconnaissance operations at the behest of the Chinese Government, specializing in intellectual property theft and credential harvesting, with recent campaigns targeting U.S. election staff with spear-phishing emails containing links that would download a Python-based implant hosted on GitHub, allowing an attacker to upload and download files as well as execute arbitrary commands.


Stating that the DanderSpritz post-exploitation framework contained four different Windows EoP modules, two of which were zero-days at the time of its development in 2013, Check Point said one of the zero-days — dubbed "EpMo" — was silently patched by Microsoft "with no apparent CVE-ID" in May 2017 in response to the Shadow Brokers leak. EpMe was the other zero-day.

DanderSpritz was among the several exploit tools leaked by the Shadow Breakers on April 14, 2017, under a dispatch titled "Lost in Translation." The leak is best known for publishing the EternalBlue exploit that would later power the WannaCry and NotPetya ransomware infections that caused tens of billions of dollars' worth of damage in over 65 countries.

This is the first time a new Equation Group exploit has come to light despite EpMo's source code being publicly accessible on GitHub since the leak almost four years ago.

For its part, EpMo was deployed in machines running Windows 2000 to Windows Server 2008 R2 by exploiting a NULL-Deref vulnerability in Graphics Device Interface's (GDI) User Mode Print Driver (UMPD) component.

Jian and EpMe Overlap
"On top of our analysis of both the Equation Group and APT31 exploits, the EpMe exploit aligns perfectly with the details reported in Microsoft's blog on CVE-2017-0005," the researchers noted. "And if that wasn't enough, the exploit indeed stopped working after Microsoft's March 2017 patch, the patch that addressed the said vulnerability."


Apart from this overlap, both EpMe and Jian have been found to share an identical memory layout and the same hard-coded constants, lending credence to the fact that one of the exploits was most probably copied from the other, or that both parties were inspired by an unknown third-party.

But so far, there are no clues alluding to the latter, the researchers said.

Interestingly, while EpMe didn't support Windows 2000, Check Point's analysis uncovered Jian to have "special cases" for the platform, raising the possibility that APT31 copied the exploit from the Equation Group at some point in 2014, before tweaking it to suit their needs and ultimately deploying the new version against targets, including possibly Lockheed Martin.

Reached for comment, a spokesperson for Lockheed Martin said "our cybersecurity team routinely evaluates third-party software and technologies to identify vulnerabilities and responsibly report them to developers and other interested parties."

Not the First Time
Check Point's findings are not the first time Chinese hackers have purportedly hijacked NSA's arsenal of exploits. In May 2019, Broadcom's Symantec reported that a Chinese hacking group called APT3 (or Buckeye) also had repurposed an NSA-linked backdoor to infiltrate telecom, media, and manufacturing sectors.

But unlike APT31, Symantec's analysis pointed out that the threat actor may have engineered its own version of the tools from artifacts found in captured network communications, potentially as a result of observing an Equation Group attack in action.

That Jian, a zero-day exploit previously attributed to APT31, is actually a cyber offensive tool created by the Equation Group for the same vulnerability signifies the importance of attribution for both strategic and tactical decision making.

"Even though 'Jian' was caught and analyzed by Microsoft at the beginning of 2017, and even though the Shadow Brokers leak exposed Equation Group's tools almost four years ago, there is still a lot one can learn from analyzing these past events," Cohen said.

"The mere fact that an entire exploitation module, containing four different exploits, was just lying around unnoticed for four years on GitHub, teaches us about the enormity of the leak around Equation Group tools."



THN


#osutayusuf

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.