Jian: The double-edged cyber sword

Issue 1 2021 Editor's Choice, Information Security

In the last few months, Check Point Research (CPR) focused on recent Windows Local Privilege Escalation (LPE) exploits attributed to Chinese actors. An LPE is used by attackers to acquire administrator rights on a Windows machine. During this investigation, our malware and vulnerability researchers managed to unravel the hidden story and origins behind ’Jian‘, an exploit that was previously attributed to the Chinese-affiliated attack group named APT31 (Zirconium). The attack tool was caught and reported to Microsoft by Lockheed Martin’s Computer Incident Response Team, suggesting a possible attack against an American target.

For the sake of brevity, we dubbed APT31’s exploit Jian. During this investigation, our researchers managed to unravel the hidden story behind Jian, which translates to a double-edged straight sword used in China. The Jian exploit was previously attributed to APT31 (Zirconium), and we’ve now discovered its true origins.

Our research shows that CVE-2017-0005, a Windows LPE vulnerability that was attributed to a Chinese APT, was replicated based on an Equation Group exploit for the same vulnerability that the APT had access to. EpMe, the Equation Group exploit for CVE-2017-0005, is one of four different LPE exploits included in the DanderSpritz attack framework. DanderSpritz is Equation Group's post-exploitation framework that contains a wide variety of tools for persistence, reconnaissance, lateral movement, bypassing antivirus engines, and more. EpMe dates back to at least 2013, which is four years before APT31 was caught exploiting the vulnerability in the wild.

In our technical blog, we introduce the four different Windows LPE exploits included in the DanderSpritz framework, revealing an additional exploit codenamed EpMo. EpMo, one of the exploits in the framework, was never publicly discussed and the unknown vulnerability it targets was patched by Microsoft in May 2017 with no apparent announcement. The patch could potentially be associated with the after-effects of the Shadow Brokers leak (https://blog.checkpoint.com/2017/05/25/brokers-shadows-analyzing-vulnerabilities-attacks-spawned-leaked-nsa-hacking-tools/) of Equation Group tools. While the vulnerability was fixed, we couldn’t identify the official vulnerability ID (CVE-ID) associated with it, and to our knowledge, this is the first public mention of the existence of this additional Equation Group vulnerability.

Read the full technical story at https://research.checkpoint.com/2021/the-story-of-jian

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Enhance control rooms with surveillance and intelligence
Leaderware Editor's Choice Surveillance Mining (Industry)
Dr Craig Donald advocates the use of intelligence and smart surveillance to assist control rooms in dealing with the challenges of the size and dispersed nature common in all mining environments.

A long career in mining security
Technews Publishing Editor's Choice Security Services & Risk Management Mining (Industry)
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

A constant armed struggle
Technews Publishing XtraVision Editor's Choice Integrated Solutions Mining (Industry) IoT & Automation
SMART Security Solutions asked a few people involved in servicing mines to join us for a virtual round table and give us their insights into mine security today. A podcast of the discussion will be released shortly-stay tuned.

Risk management: There's an app for that
Editor's Choice News & Events Security Services & Risk Management
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Integrated information platform for risk management
Editor's Choice News & Events Security Services & Risk Management
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Unlocking Africa's AI potential
Editor's Choice News & Events AI & Data Analytics
Africa's AI market is set to grow exponentially; by investing in AI education, training, and ethical practices, African nations can harness the power of AI to transform the continent and create a brighter future for its people.

The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Security Services & Risk Management
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.