Chinese Hackers Stole an NSA Windows Exploit in 2014

Check Point has evidence that (probably government affiliated) Chinese hackers stole and cloned an NSA Windows hacking tool years before (probably government affiliated) Russian hackers stole and then published the same tool. Here’s the timeline:

The timeline basically seems to be, according to Check Point:

  • 2013: NSA’s Equation Group developed a set of exploits including one called EpMe that elevates one’s privileges on a vulnerable Windows system to system-administrator level, granting full control. This allows someone with a foothold on a machine to commandeer the whole box.
  • 2014-2015: China’s hacking team code-named APT31, aka Zirconium, developed Jian by, one way or another, cloning EpMe.
  • Early 2017: The Equation Group’s tools were teased and then leaked online by a team calling itself the Shadow Brokers. Around that time, Microsoft cancelled its February Patch Tuesday, identified the vulnerability exploited by EpMe (CVE-2017-0005), and fixed it in a bumper March update. Interestingly enough, Lockheed Martin was credited as alerting Microsoft to the flaw, suggesting it was perhaps used against an American target.
  • Mid 2017: Microsoft quietly fixed the vulnerability exploited by the leaked EpMo exploit.

Lots of news articles about this.

Tags: , , , , ,

Posted on March 4, 2021 at 6:25 AM13 Comments

Comments

Clive Robinson March 4, 2021 7:56 AM

@ ALL,

It maters not if the Chinese got it from the NSA[1] or it was the other way around, or the discovery was independent of each other.

In “The Game of Smoke and Mirrors” being first is rarely important, and using a competitors weapon against them is par for the course.

What is important is the length of the time line before the vulnarability was closed…

As I’ve pointed out in the past, the US being most dependent on high tech, thus the most vulnerable to attacks against it you would have thought that leaving open an attack you know a competitor is using for atleast three years was not the brightest thing to do… But then I guess thay part of the US Gov that sees it’s own citizens as “the enemy” is not exactly thinking rationally but then, few with “bunker fever” ever do.

[1] Saying “Chinese hackers stole and cloned” is a little childish to put it mildly. If they did get it, it was most likely because the NSA were being careless in their usage of it on the Chinese…

Yes think about the implication of that for a moment, then the implication that it was after all, “information” not “physical items”. As we all know the US is “exceptional” in that it does not regard the gathering of others information and repurposing others information for profit as a crime. Otherwise Amazon, Facebook, Google, Palantir, etc, etc would all be crooks/criminals, because of the information they’ve “stole and cloned” and profit from. I know the US thinks it’s “exceptional” but honestly you can not have it both ways… Remember what in the US is known as “The Golden Rule”, originating in the supposed “Good Book”, which has the main protagonist in the new testiment “Jesus” say “Do unto others as you would have them do unto you” in Luke 6:31 and Matthew 7:12. Crying “Snot fair” when it counts against you which shows the US up as at best hypocritical is well…

The first step in resolving such conflicts is to honestly look at why things are happening. But if the US want to still make claims of taking then perhaps they should say “the chinise confiscated the US breaking and entering tools used to commit theft by the US” it would be a little more honest after all.

Matthias Hörmann March 4, 2021 8:05 AM

And that is the reason many of us consider the hoarding of exploits for “offensive” Cybersecurity a very, very flawed idea.

Fed.up March 4, 2021 9:32 AM

If software is full of holes, it was purposely written that way.

They are pointing lots of fingers at everyone, but they need to look in the mirror most of all. Something like this doesn’t happen without insider involvement.

Banks in the US are prohibited from contributing to political campaigns. We need this law for big tech. Their employees should be treated the same as bank employees which have to submit annual political contribution and in-kind donation statements. Big tech needs to be regulated by the same laws as banks. This will protect the USA’s critical infrastructure private sector (banks, utilities) and also the Federal and State Governments. Banks have numerous data protection, data privacy and cybersecurity laws. Even the “Truth in Lending” laws should be modified for Big Tech — which essentially means that Big Tech will be required to make disclosures about informed use – and what their products really do. Banks also need to tell customers whether their data is shared and who it is shared with. They also need to stop if customers say so.

Banks prohibited from political contributions:
ht tps://www.fdic.gov/regulations/laws/rules/8000-2100.html#:~:text=(a)%20IN%20GENERAL%2D%2DIt,caucus%20held%20to%20select%20candidates

Right now, the way CCPA was written, if a bank experiences a breach and it is due to Microsoft, it is the bank that can be sued and fined because they control the customer. Laws need to change.

gadfly March 4, 2021 10:29 AM

Re: Fed.up
“If software is full of holes, it was purposely written that way.”
I don’t think you understand how software gets written, or by whom.

Fed.up March 4, 2021 11:18 AM

@gadfly

Oh I understand. Within the past week, Microsoft is pointing fingers at Russia, China and the NSA. So is Microsoft claiming that Russia, China and the NSA are smarter than their own staff? If so, why is that?

A big bank recently was fined $400 Million because they were using dangerous software that was designed by third party contractors causing a $900M “mistake”. Poorly designed software is never an accident. Banks are held to laws which require them to use secure technology. Yet how can banks comply with these laws when they procure from tech vendors who aren’t held to the same legal standard?

The USA has defined the “Critical Infrastructure Sector” here: https://www.cisa.gov/critical-infrastructure-sectors

There’s 16 sectors, only one of which “Tech” is NOT regulated.

Regulations light a fire. Rather than think up new ones, Congress should just level the playing field and extend existing bank and utility regulations to tech.

Microsoft playing the victim card is old. A few years ago I got stopped for speeding on a dirt road. I told the officer that I didn’t know what the speed limit was and the police officer scolded me that that was no excuse. It was my responsibility to be safe even in the absence of a posted speed limit. He let me off with just a warning because I was late for my whitewater rafting trip. That was a great lesson about personal responsibility and the law.

AL March 4, 2021 11:56 AM

Every month that I patch a Windows OS, there is something for a privilege escalation. A quick search:
Jan 12, 2021 … Windows Kernel Local Elevation of Privilege Vulnerability. CVE-2020-17087.
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. CVE-2020-0670
An elevation of privilege vulnerability exists in Network Watcher Agent virtual machine extension for Linux. CVE-2020-16995
Games in Microsoft Store Can Be Abused for Privilege Escalation…

If there aren’t hundreds, let alone thousands of exploits held worldwide by various countries security services, I would be astounded. There is way too much stuff running in kernel mode on Microsoft Windows. It might be good for gamers, but not good for business.

I think it is more likely than not that next Tuesday’s patches will include a fix for yet another privilege escalation.

SpaceLifeForm March 4, 2021 3:22 PM

@ Al

I think it is more likely than not that next Tuesday’s patches will include a fix for yet another privilege escalation.

A fix? Singular?

You seem optimistic.

A dozen will not surprise me.

lurker March 4, 2021 3:37 PM

@AL: It might be good for gamers, but not good for business.

So how come business is using a gaming OS? Were they gamed?

Clive Robinson March 4, 2021 4:11 PM

@ AL,

I think it is more likely than not that next Tuesday’s patches will include a fix for yet another privilege escalation.

Only one?..

That they mention, hoe many that they don’t… Remember another lesson from a while back. The NT kernel goes back a long way, and a lot of the code in there is equally as old. Which is why twelve to twenty year old vulnerabilities pop up way more often than you would expect.

I like several others still run Win2K because it’s the last OS a very expensive piece of software runs on without having to upgrade… The newer versions require you to pay huge annual maintenance fees and have Internet connection etc etc… For what are not very usefull cosmetic updates.

Likewise Win XP and an older version of MS Office are way more than sufficient for “admin” and the like.

As I’ve indicated befor, I don’t connect my computers to the Internet or any external network, I’m just not that daft.

Thankfully what others need, or more correctly “claim they need” is not my concern these days when it comes to my private systems I can do more or less as I please.

As for the other systems I have to use, well the responsability for keeping the current Microsoft OS and applications secure is somebody elses problem and they get paid to do it so I dodge supporting those MS products. There are times when I have to do presentations and the like but that’s about the only time appart from passing along admin docs I take a “hands on interest” in current MS products…

Why do I take what some will regard as a “hostile” attitude to MS current products, well it’s a long list but with Win10 they started taking the “Your box and data brlong to us” attitude to seriously and that alone was enough. Their deranged attitude to downloading multi megabyte lumps you have little control over as often as they like is just ridiculous.

Especialy when you consider as you have as to why there is a reason they can leverage,

There is way too much stuff running in kernel mode on Microsoft Windows. It might be good for gamers, but not good for business.

The original design of NT was wrong from the ground up… A “better VMS than Unix” it never was and as people might have noticed by it’s absence VMS is not popular and for good reason. Oh and Unix has kind of moved on quite a bit. For all it’s flashy paintwork Windows still runs on 1980’s tech, when design decisions were made for resource issues that do not exist any more, and it shows in rather more than gaming which is the underlying reason to you observation of,

If there aren’t hundreds, let alone thousands of exploits held worldwide by various countries security services, I would be astounded.

It could actually turn out to be “hundreds of thousands” of vulnarabilities, and millions of bugs across their product lines… I guess time will tell.

Mind you at some point in time Microsoft’s Goose is not just going to stop laying eggs, it’s going to die. How they are going to avoid the inevitable will prove to be an interesting spectacle. I suspect their “Win 10 Policy” is the start of it. After all we’ve had the mess that was the 16bit to 32bit transition with the likes of the “Thunking layer” and other issues with 32bit to 64bit…

The funny thing though is if you have old 16bit Dos or Win3 software it will run on *nix boxes even if they are 64bit. Are they any the less vulnerable than they were, well no, but what they are wrapped in is much more secure if you take the appropriate measures.

I’m not a gamer, computer games of the FPS and similar have never realy interested me, so other than those that are realy traditional board games like chess etc that do not need to be low latency etc I can not realy comment on. However I’m told that some of those old DOS and similar games from times long past do run passably well on modern *nix boxes…

There was a joke going around a while ago about Microsoft’s “Embrace and extend” had met it’s match with the “Linux alien face hugger”… Some how I doubt something is going to exploed out of the heart of Win10, but Microsoft might well try and phase out some of the creaking cobweb infested parts of the NT kernel. After all MS’s networking stack they “borrowed” from BSD and effectively still do. So it would not be the first time they’ve borrowed from a *nix.

Alex March 5, 2021 4:27 AM

Clive R.

Can I just say ‘thanks’ for all your postings.

You’ve taught me a lot brother…

Clive Robinson March 5, 2021 4:47 PM

@ Alex,

You’ve taught me a lot brother…

Please feel free to in turn teach others and myself, that way we all learn something new.

As was once pointed out to me,

“From questions, come answers, it’s the questions that push knowledge and mankind forward”

So if you’ve any questions pop them up on the squid page.

AL March 9, 2021 12:44 PM

Hey, some good news in March’s updates: 😉

Looking at the 30 Elevation of Privilege (EoP) bugs addressed in this month’s release, most require an attacker to log on to an affected system and run specially crafted code to escalate privileges. Almost all of these patches impact the Windows kernel and various Windows components.

calvin March 10, 2021 7:23 PM

@Fed.up
A big bank recently was fined $400 Million because they were using dangerous software that was designed by third party contractors causing a $900M “mistake”. Poorly designed software is never an accident.

I agree. Which is probably why we had the beauty known as “Adobe Flash” in the first place. Probably not needed so much anymore because now we have Windows 10 lol.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.