Security News > 2021 > February > Chinese Hackers Cloned Equation Group Exploit Years Before Shadow Brokers Leak
A Chinese threat actor known as APT31 likely acquired and cloned one of the Equation Group's exploits three years before the targeted vulnerability was publicly exposed as part of Shadow Brokers' "Lost in Translation" leak, cybersecurity firm Check Point says in a new report.
Attributed to APT31, a Chinese hacking group also tracked as Zirconium, the exploit for this vulnerability is the clone of an Equation Group exploit code-named "EpMe," Check Point says.
Exploitation tools that the Equation Group had been using for years were made public in early 2017 by a mysterious group calling themselves Shadow Brokers.
Called Jian and attributed to APT31, the exploit for this vulnerability is now believed to be the clone of an Equation Group exploit that targeted the same security hole.
Further analysis has revealed that the exploits contain artefacts specific to the Equation Group tools, suggesting that EpMe was the original exploit for CVE-2017-0005, Check Point says.
"To our surprise, we found out that this APT31 exploit is in fact a reconstructed version of an Equation Group exploit called 'EpMe'. This means that an Equation Group exploit was eventually used by a Chinese-affiliated group, probably against American targets," Check Point notes.
News URL
Related news
- Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control (source)
- Chinese Hackers Exploit Visual Studio Code in Southeast Asian Cyberattacks (source)
- Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware (source)
- Hackers leak 2.7 billion data records with Social Security numbers (source)
- Blind Eagle Hackers Exploit Spear-Phishing to Deploy RATs in Latin America (source)
- Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor (source)
- Hackers use PHP exploit to backdoor Windows systems with new malware (source)
- Chinese Volt Typhoon hackers exploited Versa zero-day to breach ISPs, MSPs (source)
- Chinese Volt Typhoon Exploits Versa Director Flaw, Targets U.S. and Global IT Sectors (source)
- US offers $2.5 million reward for hacker linked to Angler Exploit Kit (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-03-17 | CVE-2017-0005 | Unspecified vulnerability in Microsoft products The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "Windows GDI Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0001, CVE-2017-0025, and CVE-2017-0047. | 7.8 |