Saturday, June 12, 2021

Chinese hackers had access to U.S. hacking tools and cloned an attack tool

Must Read

WA Auditor Shows Concern about security Methods within state Registry System

Auditor General publishes findings 18 weeks after the audit has been complete because she feared that the danger was...

Adobe security update squashes critical vulnerabilities in Lightroom, Prelude

Adobe's final key patch around 2020 has coped with random code and JavaScript implementation bugs. Adobe's past scheduled security update...

Trump respond to Russian cyberattacks Says ‘Under Control’

This week, American businesses and government institutions reported that Russian hackers had infiltrated sensitive networks throughout their systems and...

Chinese threat actors “cloned” and used a Windows zero-day exploit stolen from the NSA’s Equation Group for years before the privilege escalation flaw was patched, researchers say. 

On August 13, 2016, a hacking unit calling itself “The Shadow Brokers” announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA).

The Jian tool was used to exploit a Windows zero-day vulnerability years before a patch was issued.

On Monday, Check Point Research (CPR) said the tool was a “clone” of software developed by the US National Security Agency (NSA)’s Equation Group, identified by FireEye in 2015 and described as “one of the most sophisticated cyber-attack groups in the world.”

The previously undocumented cyber-theft took place more than two years before the Shadow Brokers episode, the American-Israeli cybersecurity company said in an exhaustive report published today, resulting in U.S.-developed cyber tools reaching the hands of a Chinese advanced persistent threat which then repurposed them in order to attack U.S. targets.

Thought to be active since at least 2001, Equation Group has since been linked to the US intelligence agency’s Tailored Access Operations (TAO) unit. 

The Shadow Brokers hacking group released Equation Group tools and files in 2017, some of which were used to exploit previously unknown bugs in popular programs, including Microsoft Windows – forcing retailers to issue more patches and quick fixes to exploit useless tools.

In the same year, Microsoft released the CVE-2017-0005 version, a zero-day risk factor for Windows XP on Windows 8 applications that could be used for privileges and a complete compromise.

Initially, it was thought that the tool designed to exploit CVE-2017-0005 was the work of a Chinese opposition group (APT) called APT31, also known as Zirconium.

However, Check Point now claims that the tool, called Jian, was actually a combination of software used by Equation Group and was actively used between 2014 and 2017 – years before the risk could not be created – and was not customized by threatening Chinese actors.

According to investigators, Jian is a bunch of “EpMe,” which was re-introduced in the 2017 Shadow Brokers “Lost in Translation,” rewarding and “re-released” to attack US citizens.

“Both APT31” Jian “or Equation Group” EpMe “exploits are designed to promote the rights of the attacker in your local Windows environment,” said CPR.

The tool is used after the attacker has first accessed the targeted computer – that is, at the risk of a random click, an email theft of sensitive information, or otherwise – to give the attacker the highest rights available, to “roam free” and do whatever they want on an already infected computer.

The team notes that Lokheed Martin reported CVE-2017-0005 at Microsoft, which they say is an “unusual” footnote on the investigation.

“As far as we know, this is the only risk their [Lokheed Martin] have reported in recent years,” Check Point said. “It is possible that one of their clients, or Lokheed Martin himself, has been identified by this player.”

APT31 is believed to have access to the Equation Group exploitation module – both 32- and 64-bit models. While cybersecurity researchers are not sure how Chinese APT discovered the exploitation, it may have been taken over during Equation The group’s attack on China’s target.

Alternatively, the tool may have been stolen while Equation Group was on the network and monitored by APT31 or during a direct attack by APT31 on Equation Group systems.

The investigation into Jian also revealed a module containing four ways to use the rights to increase that was part of the Equation Group’s DanderSpritz framework for exploitation.

Two draft actions, starting in 2013, were zero-day errors. One of these exploits is by EpMe, and another, called “EpMo,” appears to have been peacefully marked in May 2017 by Microsoft as a follow-up solution to respond to the Shadow Brokers leak has not been offered to CVE. The remaining code names are EIEi and ErNi.

This is not the only example of Chinese APT stealing and restoring Equation Group tools. In another lawsuit filed by Symantec in 2019, APT3 “Buckeye” was linked to an attack using Equation Group tools in 2016, before Shadow Brokers’ leak.

While Buckeye looks set to collapse in mid-2017, the tools were in use until 2018 – but it is unknown whether they will be transferred or not anyone.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.


Please enter your comment!
Please enter your name here

Latest News

An error of coding results attacker will delete a live video of Facebook

Facebook has solved the problem of Programming errors on live video services that allow attackers to successfully remove video...

What is a Cyber Attack or Virtual Attack

Firstly We Wil Discuss About Cyberattack or we will also say virtual attack. A Cyberattack is a type of attack that will be done...

Firefox 88 start disabling FTP with removal set for Firefox 90

Firefox 88 update has disabled File Transfer Protocol (FTP) support completely from the browser. The handling of clicking on FTP links from within Firefox...

Google Project Zero giving The 30-day grace period for user patch adoption

Google Project Zero will be shifting from a fairly hard 90-day deadline to a new model that incorporates a new 30-day grace period to...

Parking app ParkMobile experiences data breach of 21M Users

The popular mobile app that drivers use to pay and find available public parking in Pittsburgh and in other cities experienced a data breach...

More Articles Like This