Jian: The double-edged cyber sword

Issue 1 2021 Editor's Choice, Information Security

In the last few months, Check Point Research (CPR) focused on recent Windows Local Privilege Escalation (LPE) exploits attributed to Chinese actors. An LPE is used by attackers to acquire administrator rights on a Windows machine. During this investigation, our malware and vulnerability researchers managed to unravel the hidden story and origins behind ’Jian‘, an exploit that was previously attributed to the Chinese-affiliated attack group named APT31 (Zirconium). The attack tool was caught and reported to Microsoft by Lockheed Martin’s Computer Incident Response Team, suggesting a possible attack against an American target.

For the sake of brevity, we dubbed APT31’s exploit Jian. During this investigation, our researchers managed to unravel the hidden story behind Jian, which translates to a double-edged straight sword used in China. The Jian exploit was previously attributed to APT31 (Zirconium), and we’ve now discovered its true origins.

Our research shows that CVE-2017-0005, a Windows LPE vulnerability that was attributed to a Chinese APT, was replicated based on an Equation Group exploit for the same vulnerability that the APT had access to. EpMe, the Equation Group exploit for CVE-2017-0005, is one of four different LPE exploits included in the DanderSpritz attack framework. DanderSpritz is Equation Group's post-exploitation framework that contains a wide variety of tools for persistence, reconnaissance, lateral movement, bypassing antivirus engines, and more. EpMe dates back to at least 2013, which is four years before APT31 was caught exploiting the vulnerability in the wild.

In our technical blog, we introduce the four different Windows LPE exploits included in the DanderSpritz framework, revealing an additional exploit codenamed EpMo. EpMo, one of the exploits in the framework, was never publicly discussed and the unknown vulnerability it targets was patched by Microsoft in May 2017 with no apparent announcement. The patch could potentially be associated with the after-effects of the Shadow Brokers leak (https://blog.checkpoint.com/2017/05/25/brokers-shadows-analyzing-vulnerabilities-attacks-spawned-leaked-nsa-hacking-tools/) of Equation Group tools. While the vulnerability was fixed, we couldn’t identify the official vulnerability ID (CVE-ID) associated with it, and to our knowledge, this is the first public mention of the existence of this additional Equation Group vulnerability.

Read the full technical story at https://research.checkpoint.com/2021/the-story-of-jian




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

AI-enabled tools reducing time to value and enhancing application security
Editor's Choice
Next-generation AI tools are adding new layers of intelligent testing, audit, security, and assurance to the application development lifecycle, reducing risk, and improving time to value while augmenting the overall security posture.

Read more...
Perspectives on personal care monitoring and smart surveillance
Leaderware Editor's Choice Surveillance Smart Home Automation IoT & Automation
Dr Craig Donald believes smart surveillance offers a range of options for monitoring loved ones, but making the right choice is not always as simple as selecting the latest technology.

Read more...
AI enables security solutions to define business strategies
Regal Distributors SA Editor's Choice
While allowing technologies to do exactly what they should do with even more efficiency and precision, AI is also empowering these same technologies to break through their traditional boundaries and create an ecosystem where one interface delivers outcomes across highly segmented verticals.

Read more...
Putting cyber into surveillance
Dallmeier Electronic Southern Africa Cathexis Technologies Technews Publishing Editor's Choice
Cybersecurity has become an essential part of the physical security industry. However, unlike other IoT technologies, of which security products are a part, surveillance technologies have more to protect.

Read more...
Cybersecurity and AI
AI & Data Analytics Information Security
Cybersecurity is one of the primary reasons that detecting the commonalities and threats of what is otherwise completely unknown is possible with tools such as SIEM and endpoint protection platforms.

Read more...
2024 State of Security Report
Editor's Choice
Mobile IDs, MFA and sustainability emerge as top trends in HID Global’s 2024 State of Security Report, with artificial intelligence appearing in the conversation for the first time.

Read more...
Cyberthreats facing SMBs
Editor's Choice
Data and credential theft malware were the top two threats against SMBs in 2023, accounting for nearly 50% of all malware targeting this market segment. Ransomware is still the biggest threat.

Read more...
Are we our own worst enemy?
Editor's Choice
Sonja de Klerk believes the day-to-day issues we face can serve as opportunities for personal growth and empowerment, enabling us to contribute to creating a better and safer environment for ourselves and South Africa.

Read more...
How to spot a cyberattack if you are not a security pro
Editor's Choice
Cybersecurity awareness is straightforward if you know what to look for; vigilance and knowledge are our most potent weapons and the good news is that anyone can grasp the basics and spot suspicious activities.

Read more...
Protecting IP and secret data in the age of AI
Editor's Choice
The promise of artificial intelligence (AI) is a source of near-continuous hype for South Africans. However, for enterprises implementing AI solutions, there are some important considerations regarding their intellectual property (IP) and secret data.

Read more...