Thursday, September 23, 2021

Chinese hackers had access to U.S. hacking tools and cloned an attack tool

Must Read

Canada Names China, Russia as Chief cyber-crime Risks; sees Danger to Electricity supply

Canada on Wednesday identified state-sponsored applications in China, Russia, Iran, and North Korea as important cybercrime threats for the...

Hackers ask 500 Bitcoin ransom from Tether

Tether, the issuer of the USDT stablecoin, claims to have received a ransom note asking for 500 bitcoin (currently worth about USD $22...

Hacker leaks the user Information of event management app Peatix

Over 4.2 million consumer accounts are made available for downloading online earlier this month.A hacker has leaked that this...

Chinese threat actors “cloned” and used a Windows zero-day exploit stolen from the NSA’s Equation Group for years before the privilege escalation flaw was patched, researchers say. 

On August 13, 2016, a hacking unit calling itself “The Shadow Brokers” announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA).

The Jian tool was used to exploit a Windows zero-day vulnerability years before a patch was issued.

On Monday, Check Point Research (CPR) said the tool was a “clone” of software developed by the US National Security Agency (NSA)’s Equation Group, identified by FireEye in 2015 and described as “one of the most sophisticated cyber-attack groups in the world.”

The previously undocumented cyber-theft took place more than two years before the Shadow Brokers episode, the American-Israeli cybersecurity company said in an exhaustive report published today, resulting in U.S.-developed cyber tools reaching the hands of a Chinese advanced persistent threat which then repurposed them in order to attack U.S. targets.

Thought to be active since at least 2001, Equation Group has since been linked to the US intelligence agency’s Tailored Access Operations (TAO) unit. 

The Shadow Brokers hacking group released Equation Group tools and files in 2017, some of which were used to exploit previously unknown bugs in popular programs, including Microsoft Windows – forcing retailers to issue more patches and quick fixes to exploit useless tools.

In the same year, Microsoft released the CVE-2017-0005 version, a zero-day risk factor for Windows XP on Windows 8 applications that could be used for privileges and a complete compromise.

Initially, it was thought that the tool designed to exploit CVE-2017-0005 was the work of a Chinese opposition group (APT) called APT31, also known as Zirconium.

However, Check Point now claims that the tool, called Jian, was actually a combination of software used by Equation Group and was actively used between 2014 and 2017 – years before the risk could not be created – and was not customized by threatening Chinese actors.

According to investigators, Jian is a bunch of “EpMe,” which was re-introduced in the 2017 Shadow Brokers “Lost in Translation,” rewarding and “re-released” to attack US citizens.

“Both APT31” Jian “or Equation Group” EpMe “exploits are designed to promote the rights of the attacker in your local Windows environment,” said CPR.

The tool is used after the attacker has first accessed the targeted computer – that is, at the risk of a random click, an email theft of sensitive information, or otherwise – to give the attacker the highest rights available, to “roam free” and do whatever they want on an already infected computer.

The team notes that Lokheed Martin reported CVE-2017-0005 at Microsoft, which they say is an “unusual” footnote on the investigation.

“As far as we know, this is the only risk their [Lokheed Martin] have reported in recent years,” Check Point said. “It is possible that one of their clients, or Lokheed Martin himself, has been identified by this player.”

APT31 is believed to have access to the Equation Group exploitation module – both 32- and 64-bit models. While cybersecurity researchers are not sure how Chinese APT discovered the exploitation, it may have been taken over during Equation The group’s attack on China’s target.

Alternatively, the tool may have been stolen while Equation Group was on the network and monitored by APT31 or during a direct attack by APT31 on Equation Group systems.

The investigation into Jian also revealed a module containing four ways to use the rights to increase that was part of the Equation Group’s DanderSpritz framework for exploitation.

Two draft actions, starting in 2013, were zero-day errors. One of these exploits is by EpMe, and another, called “EpMo,” appears to have been peacefully marked in May 2017 by Microsoft as a follow-up solution to respond to the Shadow Brokers leak has not been offered to CVE. The remaining code names are EIEi and ErNi.

This is not the only example of Chinese APT stealing and restoring Equation Group tools. In another lawsuit filed by Symantec in 2019, APT3 “Buckeye” was linked to an attack using Equation Group tools in 2016, before Shadow Brokers’ leak.

While Buckeye looks set to collapse in mid-2017, the tools were in use until 2018 – but it is unknown whether they will be transferred or not anyone.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

Apple Releases patches for an actively exploited zero-day flaw in ios, macOS

Apple on Monday Release an urgent security patch for iOS,macOS, iPadOS, to address a zero-day flaw that has been actively exploited.Apple has revealed that...

More Articles Like This