Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Jian: The double-edged cyber sword

Issue 1 2021 Editor's Choice, Information Security

Supplied by Check Point Research.

In the last few months, Check Point Research (CPR) focused on recent Windows Local Privilege Escalation (LPE) exploits attributed to Chinese actors. An LPE is used by attackers to acquire administrator rights on a Windows machine. During this investigation, our malware and vulnerability researchers managed to unravel the hidden story and origins behind ’Jian‘, an exploit that was previously attributed to the Chinese-affiliated attack group named APT31 (Zirconium). The attack tool was caught and reported to Microsoft by Lockheed Martin’s Computer Incident Response Team, suggesting a possible attack against an American target.

For the sake of brevity, we dubbed APT31’s exploit Jian. During this investigation, our researchers managed to unravel the hidden story behind Jian, which translates to a double-edged straight sword used in China. The Jian exploit was previously attributed to APT31 (Zirconium), and we’ve now discovered its true origins.

Our research shows that CVE-2017-0005, a Windows LPE vulnerability that was attributed to a Chinese APT, was replicated based on an Equation Group exploit for the same vulnerability that the APT had access to. EpMe, the Equation Group exploit for CVE-2017-0005, is one of four different LPE exploits included in the DanderSpritz attack framework. DanderSpritz is Equation Group's post-exploitation framework that contains a wide variety of tools for persistence, reconnaissance, lateral movement, bypassing antivirus engines, and more. EpMe dates back to at least 2013, which is four years before APT31 was caught exploiting the vulnerability in the wild.

In our technical blog, we introduce the four different Windows LPE exploits included in the DanderSpritz framework, revealing an additional exploit codenamed EpMo. EpMo, one of the exploits in the framework, was never publicly discussed and the unknown vulnerability it targets was patched by Microsoft in May 2017 with no apparent announcement. The patch could potentially be associated with the after-effects of the Shadow Brokers leak (https://blog.checkpoint.com/2017/05/25/brokers-shadows-analyzing-vulnerabilities-attacks-spawned-leaked-nsa-hacking-tools/) of Equation Group tools. While the vulnerability was fixed, we couldn’t identify the official vulnerability ID (CVE-ID) associated with it, and to our knowledge, this is the first public mention of the existence of this additional Equation Group vulnerability.

Read the full technical story at https://research.checkpoint.com/2021/the-story-of-jian




Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

Global security in 2026
Editor's Choice News & Events Security Services & Risk Management Industrial (Industry) Mining (Industry)
The World Security Report 2026 states: “In a world of increasing volatility, physical security has evolved. It is no longer just a defensive measure; it is a critical driver of corporate value.”

Read more...
Who is to blame for autonomous mistakes?
Editor's Choice Security Services & Risk Management Industrial (Industry) Mining (Industry)
Most supply agreements for AI-integrated equipment still closely resemble plant hire contracts from ten years ago: bilateral, human-focused, and silent on who bears the risk when a machine makes a decision on its own.

Read more...
Beyond the checkpoint
Veracitech Editor's Choice
For decades, mining corporations have treated employee screening as a necessary friction point, an operational cost to be managed rather than a strategic capability to be optimised. A new generation of full-body X-ray technology, purpose-built for the realities of high-throughput precious-metals environments, is beginning to change that calculus.

Read more...
Persistent surveillance with rapid deployment
Editor's Choice
Sky Robots has introduced an aerial drone system designed to operate as a consistent layer within security environments, addressing long-standing challenges around visibility and response across large or complex sites.

Read more...
The control room problem that nobody wants to talk about
Technews Publishing Editor's Choice
WhatsApp has become the unofficial backbone of security communications across the mining and industrial sectors, but it was never designed to be a security tool.

Read more...
Controlling access for people and vehicles
IDEMIA STid Security Technews Publishing Editor's Choice Access Control & Identity Management Asset Management Industrial (Industry) Mining (Industry)
When it comes to access control, the security requirements of mines and the industrial sector are similar, requiring a layered approach that combines physical barriers, digital authentication, and continuous monitoring to protect personnel, assets, and operational continuity.

Read more...
Claude Mythos wake-up call
Technews Publishing AI & Data Analytics Information Security
AI has crossed a critical cybersecurity threshold and frontier models are accelerating attack lifecycles and will enable attackers to identify and exploit vulnerabilities at scale and speed, through novel methods that were previously the domain of advanced nation-state entities.

Read more...
If you cannot prove identity, you cannot claim security
Access Control & Identity Management Information Security
Cybersecurity planning for 2026 is a structural change in how attacks are executed and how trust is exploited, demanding that companies stop layering tools on top of infrastructure and instead prioritise intelligence and identity.

Read more...
The AI goldrush has a credibility problem
Refraime Editor's Choice Surveillance AI & Data Analytics
The single most important question a surveillance buyer can ask is deceptively simple: “Was this system programmed or was it trained?” That question alone will reveal more about what you are evaluating than any feature list or marketing video.

Read more...
Crime behaviour insights more important than ever
Leaderware Editor's Choice Surveillance Training & Education AI & Data Analytics
Behavioural surveillance skills are as essential now as they have ever been, especially in situations where quick evaluation of context is needed. Training operators in behavioural recognition skills is a vital part of control room success.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.