Sunday, May 19, 2024

Chinese Hackers Stole the NSA Hacking Tools a Year Before Shadow Brokers Leak Those Tools – A Shocking Report

A new shocking report reveals that the Chinese State sponsored Buckeye APT hackers group stole and used the Equation Group tools prior to year shadow brokers leaked.

In 2017, The Shadow Brokers, an unknown group of hackers stolen zero-day exploits, malware, and hacking tools from the Equation Group, one of the most sophisticated cyber attack groups in the world and a unit of the National Security Agency (NSA).

Prior this incidents, Chinese based Buckeye group also known as aka APT3, had gained access to those tools and used it for a variety of attacks to gain persistent access to the various targeted organizations.

Buckeye group had been active since 2009 and commit various cyber attacks on the targets mainly an organization based in the United States, and also this group exploited various Zero-day vulnerabilities in 2014 that has been used it as a part of the attack campaign.

In March 2016, the Buckeye group using one of the well-known variant called DoublePulsar, One of the sophisticated NSA backdoor that is leaked by the Shadow Brokers in 2017, at the same time, it used the custom exploit tool (Trojan.Bemstour) to reach the targeted victims.

Bemstour exploits two Windows Zero-day vulnerabilities (CVE-2019-0703),(CVE-2017-0143) )in order to achieve remote kernel code execution on targeted computers and later moments these zero-day was used by two NSA Owned exploit tools—EternalRomance and EternalSynergy.

Bemstour Exploit Tools From Buckeye

Based on the evidence that discovered by Symantec researchers, Buckeye group used the stolen NSA hacking tools against a target that resides in Hong Kong where attackers deliver the malware named as “Buckeye” via Bemstour Exploit tools.

Bemstour exploits two Windows Zero-day vulnerabilities (CVE-2019-0703) 
(CVE-2017-0143) )in order to achieve remote kernel code execution on targeted computers and later moments these zero-day was used by two NSA Owned exploit tools—EternalRomance and EternalSynergy.

According to Symantec report, “Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor. DoublePulsar is then used to inject a secondary payload, which runs in memory only. The secondary payload enables the attackers to access the affected computer even after DoublePulsar is removed. “

“The variant of DoublePulsar used in the first attacks performed by Buckeye was different to that leaked by the Shadow Brokers. It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2), indicating that it is a newer version of the malware.”

Source: Symantec

In September 2016, Bemstour exploit tool was rolled out with significant improvement that can exploit both 32-bit and 64-bit system and it was targeted to attack educational institution in Hong Kong.

Development of the Bemstour Exploit tool continuing into 2019 and the new sample of this variant was discovered by Symantec on March 23, 2019.

How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown.

The researchers believe that there are multiple possibilities as to how Buckeye obtained Equation Group tools .

  1. Buckeye may have engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an Equation Group attack.
  2. Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckey

Indicators of Compromise

SHA 256


You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.A


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles