Lucene search

K
thnThe Hacker NewsTHN:BC214880895281474C1A8EF7B7D98C13
HistoryMay 07, 2019 - 8:41 a.m.

Chinese Hackers Used NSA Hacking Tools Before Shadow Brokers Leaked Them

2019-05-0708:41:00
The Hacker News
thehackernews.com
190

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.9%

Buckeye china nsa hacking tools

In a shocking revelation, it turns out that a hacking group believed to be sponsored by Chinese intelligence had been using some of the zero-day exploits linked to the NSA’s Equation Group almost a year before the mysterious Shadow Brokers group leaked them.

According to a new report published by cybersecurity firm Symantec, a Chinese-linked group, which it calls Buckeye, was using the NSA-linked hacking tools as far back as March 2016, while the Shadow Brokers dumped some of the tools on the Internet in April 2017.

Active since at least 2009, Buckeye—also known as APT3, Gothic Panda, UPS Team, and TG-0110—is responsible for a large number of espionage attacks, mainly against defence and critical organizations in the United States.

Although Symantec did not explicitly name China in its report, researchers with a high degree of confidence have previously attributed [1,2] Buckeye hacking group to an information security company, called Boyusec, who is working on behalf of the Chinese Ministry of State Security.

Symantec’s latest discovery provides the first evidence that Chinese state-sponsored hackers managed to acquire some of the hacking tools, including EternalRomance, EternalSynergy, and DoublePulsar, a year before being dumped by the Shadow Brokers, a mysterious group that’s still unidentified.

According to the researchers, the Buckeye group used its custom exploit tool, dubbed Bemstour, to deliver a variant of DoublePulsar backdoor implant to stealthily collect information and run malicious code on the targeted computers.

Benstour tool was designed to exploit two then-zero-day vulnerabilities (CVE-2019-0703 and CVE-2017-0143) in Windows to achieve remote kernel code execution on targeted computers.

Buckeye nsa hacking tools

Microsoft addressed the CVE-2017-0143 vulnerability in March 2017 after it was found to have been used by two NSA exploits (EternalRomance and EternalSynergy) that were leaked by the Shadow Brokers group.

The previously unknown Windows SMB Server flaw (CVE-2019-0703) was discovered and reported by Symantec to Microsoft in September 2018 and patched by the tech giant just last month.

Researchers detected BuckEye’s hackers using the combination of the SMB exploit and the DoublePulsar backdoor to target telecommunications companies, as well as scientific research and education institutions in Hong Kong, Luxembourg, Belgium, the Philippines, and Vietnam from March 2016 to August 2017.

How Chinese Hackers Grabbed NSA Hacking Tools?

While Symantec doesn’t know how the Chinese hackers got the Equation Group tools before the Shadow Brokers leak, the security firm does state there’s a possibility that Buckeye may have captured the code from an NSA attack on their own computers and then reverse-engineered the malware to develop its own version of the tools.

> “Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye,” Symantec says.

Buckeye appeared to cease its operations in mid-2017, and three alleged members of the group were indicted in the United States in November 2017. However, even after that, Bemstour and DoublePulsar tools used by Buckeye continued to be used until late 2018 in conjunction with different malware.

Although it is unknown who continued to use the tools, the researchers believe that the Buckeye group may have passed some of its tools to another group or “continued operating longer than supposed.”

After the Shadow Brokers leak, the NSA-linked exploit tools were then used by North Korean hackers and Russian intelligence, although the Symantec report suggests no apparent connection between the Buckeye acquisition of tools and the Shadow Brokers leak.

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.9%

Related for THN:BC214880895281474C1A8EF7B7D98C13