A Chinese hacking group allegedly "cloned" and deployed a zero-day exploit created by the U.S. National Security Agency's Equation Group before Microsoft fixed the Windows vulnerability that was being misused in 2017, as indicated by an analysis published on Monday by Check Point Research. For quite a long while, researchers had presumed the Chinese hacking group known as APT31 or Zirconium had built up an exploit tool to take advantage of a vulnerability tracked as CVE-2017-0005 and found in more seasoned renditions of Windows, like Windows 7 and Windows 8, as indicated by the report.
The report brings up additional questions about how some of the NSA's most valued cyberweapons have been found or stolen by nation-state hacking groups and then turned on their developers over the years. In May 2019, Symantec published a similar report that found another group of hackers had taken and exploited cyber tools developed by the NSA. Both the Symantec and Check Point research show that the burglary of NSA Equation Group devices by these groups seems to have occurred before the hacking group known as the Shadow Brokers first began publishing the agency's exploits in 2016.
Security research previously noted that a zero-day exploit was created for CVE-2017-0005, called "Jian," in 2014 and initially deployed it in 2015. The exploit was utilized for a very long time before Microsoft at last issued a patch for it in 2017. Whenever exploited, this bug could permit an attacker to escalate privileges inside an undermined device and afterward acquire full control, the researchers note. Microsoft published its fix for CVE-2017-0005 in March 2017, when the company was forced to issue multiple fixes for the exploits related to the Shadow Brokers "Lost in Translation" leak, Check Point notes.
A further investigation by Check Point found that Jian was not an original creation, but rather a clone of a zero-day exploit for more seasoned renditions of Windows created by the NSA Equation Group in 2013 and initially called "EpMe" by the agency, as per the new report.
In another case documented by Symantec in 2019, APT3 "Buckeye" was connected to assaults utilizing Equation Group tools in 2016, before the Shadow Brokers leak.