Many must remember the disclosure of the NSA's secret hacking tools orchestrated by the hacking group known as Shadow Brokers, which arrived just over four years ago. Among the leaked software was a tool called "EpMe," which elevates the privileges of a vulnerable Windows system to the level of system administrator, giving you full control.
According to a report posted on monday by Check Point, long before disclosure, a group of hackers affiliated with Beijing had managed to get his hands on the exploit, clone it, and use it during years.
In 2013, an entity called "Equation Group, widely known as a division of the NSA, set out to develop a series of exploits, including one called" EpMe "that elevates the privileges of a vulnerable Windows system to administrator, giving it full control.
This allows someone with access to a machine to control the entire system. In 2017, a large number of tools developed by Equation Group were disclosed online by Shadow Brokers.
Around this time, Microsoft canceled its Thursday February Patch of the Year, identified the vulnerability exploited by EpMe (CVE-2017-0005), and fixed it a few weeks later.
It should be noted that Lockheed Martin, the US defense and security company, would be the first to identify and alert Microsoft to this flaw, suggesting that it could be used against a US target.
In mid-2017, Microsoft quietly patched the vulnerability that EpMe exploited. Finally, this is the timeline of the story we had up to the release of the Check Point report on Monday.
In fact, the report provides evidence that things did not turn out exactly that way. The company discovered that a group of Chinese hackers known as APT31, also known as Zirconium or «Judgment Panda», somehow he had managed to access and use EpMe.
Specifically, the report estimates that between 2014 and 2015, APT31 developed an exploit, which Check Point called "Jian", cloning EpMe somehow. Then I would have used this tool from 2015 to March 2017, when Microsoft fixed the vulnerability it was attacking.
This would mean that APT31 gained access to EpMe, a 'privilege escalation' exploit, long before the leaks caused by Shadow Brokers between late 2016 and early 2017. "
The EpMe / Jian case is unique because we have evidence that Jian was created from the actual sample of the exploit created by Equation Group, ”Check Point said in the report. So how did they get it? Having dated the APT31 samples 3 years before the Shadow Broker leak, the company suggests that the Equation Group exploit samples could have been acquired by APT31 in one of the following ways:
captured during an Equation Group attack on a Chinese target;
captured during an Equation Group operation on a third party network that was also monitored by APT31;
captured by APT31 during an attack on Equation Group's infrastructure.
A person familiar with the matter said that Lockheed Martin, who identified the vulnerability exploited by Jian in 2017, discovered it on the network of an unidentified third party. The person also said that the infected network was not part of Lockheed Martin's supply chain, but declined to share further details.
In a statement, responding to Check Point's investigation, Lockheed Martin said that it "regularly evaluates third-party software and technology to identify vulnerabilities and responsibly report them to developers and other stakeholders."
For its part, the NSA declined to comment on the Check Point report's findings. Also, the Chinese Embassy in Washington did not respond to requests for comment. However, the discovery comes as some experts say American spies should spend more energy fixing loopholes they find in software rather than developing and deploying malware to exploit it.
Check Point says it made this discovery by researching old Windows privilege escalation tools to create "fingerprints."
Source: https://blog.checkpoint.com