You are here

You are here

China stole NSA zero day—4+ years before Shadow Brokers leak

Richi Jennings Industry analyst and editor, RJAssociates

Remember 2017’s leak of NSA hacking tools, including EternalBlue? It turns out that China already had some of those tools, according to researchers.

At least eight years ago, APT31—widely believed to be a Chinese-state hacking organization—was using a particular zero-day against targets. Finally patched in March 2017, CVE-2017-0005 was an LPE in the Windows graphics subsystem, which was exploited in a remarkably similar way by both APT31 and the NSA’s TAO (also known as S32).

Too much alphanumeric soup? In this week’s Security Blogwatch, all will become clear.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: ST:Acid.

APT31 vs. S32: FIGHT!

What’s the craic? Andy Greenberg reports—China Hijacked an NSA Hacking Tool in 2014:

A Chinese group known as APT31 … somehow gained access to and used a Windows-hacking tool known as EpMe created by the Equation Group … widely understood to be a part of the NSA. … The Chinese hackers then used that tool … from 2015 until March 2017, when Microsoft patched the vulnerability.

APT31 had access to the … privilege escalation exploit … long before the late 2016 and early 2017 Shadow Brokers leaks. … APT31's [version] appears to have been built by someone with hands-on access to the Equation Group's compiled program.

And Kieren McCarthy wonders if this illustrates The perils of non-disclosure:

It could be that Beijing obtained a copy of Equation Group's EpMe, or observed it being used and recreated it, and used it while the hole in Microsoft's Windows remained unfixed. Or the Chinese could have found the same bug within the OS.

[It] again raises the question over whether it is in the US intelligence community’s best interests to share the details of any exploitable vulnerabilities they find – rather than try to keep them a secret and use them themselves. … Ultimately the tools will leak (or the bugs will be discovered by others) and expose US businesses and institutions to hacking attempts.

[It] opens the possibility that the nightmare hack of US government departments and Fortune 500 companies through SolarWinds networking software was the result of US-government developed exploits that had been directed back at the US.

Who found it? Itay Cohen—@megabeets_—was one of the pair of Check Point researchers:

@EyalItkin and I analyze Windows LPE 0-Day exploits and try to extract unique "fingerprints" that can be used for attribution of past and future exploits. We [set out] to analyze CVE-2017-0005, a 0-Day of a particular interest.

When reversing [it] and scanning our databases for extremely unique artifacts we extracted from it, we were surprised that the results we got were samples from the Shadow Brokers' "Lost in Translation" leak. [So] the Chinese attackers behind "Jian" had access to Equation Group's "EpMe" 0-Day binaries (way before the Shadow Brokers leak).

[In] EQGRP's comprehensive and modular post-exploitation framework … DanderSpritz, there was a yet-to-be-discussed exploitation module named "NtElevation" that contains a set of 4 LPE exploits that are used by Equation Group on infected machines, 2 of [which] we found when we searched for artifacts extracted from "Jian". … The mere fact that … 4 different exploits [were] just lying around for 4 years in GitHub and went unnoticed, teaches us about the enormity of the leak of Equation Group tools.

ELI5? Well, I dunno about five, but FreshFries explains like I’m 15, maybe:

Together with additional artifacts that match Equation Group artifacts and habits shared between all exploits even as far back as 2008, we can safely conclude the following:
  • Equation Group’s EpMe exploit, existing since at least 2013, is the original exploit for the vulnerability later labeled CVE-2017-0005.
  • Somewhere around 2014, APT31 managed to capture both the 32-bit and 64-bit samples of the EpMe Equation Group exploit.
  • They replicated them to construct “Jian”, and used this new version of the exploit alongside their unique multi-staged packer.
  • Jian was caught by Lockheed Martin’s IRT and reported to Microsoft, which patched the vulnerability in March 2017 and labeled it CVE-2017-0005.
TL;DR: CheckPoint … analysed the #R@$$ out of exploits used by the NSA … and the Chinese equivalent (APT31) and found that the later captured & reused the exploit of the first, making a point that … nation-grade cyber tools [make] any network … untrusted.

It’s almost as if martinusher told ya so:

It's what everyone's been telling them for years.

One of the dangers of keeping quiet about vulnerabilities is that you never know who else has figured this out. We tend to be a bit smug about our capabilities and somehow can't get to grips that other people could be as clever or even more clever than us. The NSA should have figured this out years ago just by following Kaspersky and applying a bit of common sense.

We know from history (Enigma) that misplaced confidence in intelligence strategies invariably backfires. That's why we really owe Snowden a medal: His revelations merely confirmed what many of us suspected and if we suspected then it's 100% certain that the Russians, among others, knew.

History is littered with examples of people being fed bogus data because they were confident that their sources were flawless. And to assume that 'the other side' wouldn't use the same techniques against us.

TL;DR? C.M. Allen cuts to the chase:

And this, ladies and gentlemen, is why ‘cyber weapons’ are asinine — you will be on the receiving end of their fury. Better to disclose these vulnerabilities to the proper hardware/software entities and get them fixed before it bites you in the *** then it is to ‘exploit’ them for a while, and then get bit in the *** in return.

The NSA, CIA, and their ilk have caused damage at least equal to the ‘benefit’ they may have imagined to have gained by not fixing the backdoors and exploits they’ve used to spy on other nations. … It’s a zero-sum game. The only winning move is not to play.

But is there a broader lesson? Binraider KISSes the ring:

Surely the solution to the bottomless pit of breaches is the Keep-It-Simple-Stupid philosophy. [With] a 50,000 line program, a good developer has a reasonable chance of staying on top of threats.

Making things ever bigger and monolithic, makes them more unmanageable (cough, Kernel and systemd). I don't need to explain the traditional UNIX philosophy here, but it exists for a reason.

C, C++ powerful as they are, are very easy to leave room for unintentional errors around memory management. And don't get me started on programming frameworks that give "power" but not "control" - and certainly share common vulnerabilities as a result.

Ponderous and patronizing, you say? A perfectly passionate ShameOnYou proffers pithier pedagogy: [You’re fired—Ed.]

Yet, somehow, the USA is always touting the Chinese are the biggest threat to the world.

No, USA: You are the biggest threat to the world—and yourself. Get over it.

Meanwhile, assuming APT31 copied the NSA, and not the other way around, ibmalone looks on the bright side for the Chinese perps:

Aren't US government works exempt from copyright?

The moral of the story?

Don’t let your vulnerabilities live in the shadows. Disclose responsibly.

And finally

Picard and friends get lit

Trigger warnings: A good idea stretched too far; season-01 Wesley; unnecessary fart gags.

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Martino Pietropoli (via Unsplash)

Keep learning

Read more articles about: SecurityInformation Security