Thursday, November 30, 2023

Chinese Hackers Stole the NSA Hacking Tools a Year Before Shadow Brokers Leak Those Tools – A Shocking Report

A new shocking report reveals that the Chinese State sponsored Buckeye APT hackers group stole and used the Equation Group tools prior to year shadow brokers leaked.

In 2017, The Shadow Brokers, an unknown group of hackers stolen zero-day exploits, malware, and hacking tools from the Equation Group, one of the most sophisticated cyber attack groups in the world and a unit of the National Security Agency (NSA).

Prior this incidents, Chinese based Buckeye group also known as aka APT3, had gained access to those tools and used it for a variety of attacks to gain persistent access to the various targeted organizations.

Buckeye group had been active since 2009 and commit various cyber attacks on the targets mainly an organization based in the United States, and also this group exploited various Zero-day vulnerabilities in 2014 that has been used it as a part of the attack campaign.

In March 2016, the Buckeye group using one of the well-known variant called DoublePulsar, One of the sophisticated NSA backdoor that is leaked by the Shadow Brokers in 2017, at the same time, it used the custom exploit tool (Trojan.Bemstour) to reach the targeted victims.

Bemstour exploits two Windows Zero-day vulnerabilities (CVE-2019-0703),(CVE-2017-0143) )in order to achieve remote kernel code execution on targeted computers and later moments these zero-day was used by two NSA Owned exploit tools—EternalRomance and EternalSynergy.

Bemstour Exploit Tools From Buckeye

Based on the evidence that discovered by Symantec researchers, Buckeye group used the stolen NSA hacking tools against a target that resides in Hong Kong where attackers deliver the malware named as “Buckeye” via Bemstour Exploit tools.

Bemstour exploits two Windows Zero-day vulnerabilities (CVE-2019-0703) 
(CVE-2017-0143) )in order to achieve remote kernel code execution on targeted computers and later moments these zero-day was used by two NSA Owned exploit tools—EternalRomance and EternalSynergy.

According to Symantec report, “Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor. DoublePulsar is then used to inject a secondary payload, which runs in memory only. The secondary payload enables the attackers to access the affected computer even after DoublePulsar is removed. “

“The variant of DoublePulsar used in the first attacks performed by Buckeye was different to that leaked by the Shadow Brokers. It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2), indicating that it is a newer version of the malware.”

Source: Symantec

In September 2016, Bemstour exploit tool was rolled out with significant improvement that can exploit both 32-bit and 64-bit system and it was targeted to attack educational institution in Hong Kong.

Development of the Bemstour Exploit tool continuing into 2019 and the new sample of this variant was discovered by Symantec on March 23, 2019.

How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown.

The researchers believe that there are multiple possibilities as to how Buckeye obtained Equation Group tools .

  1. Buckeye may have engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an Equation Group attack.
  2. Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckey

Indicators of Compromise

SHA 256


You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.A


Latest articles

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...

Iranian Mobile Banking Malware Steal Login Credentials & Steal OTP Codes

An Android malware campaign was previously discovered that distributed banking trojans targeting four major...

BLUFFS: Six New Attacks that Break Secrecy of Bluetooth Sessions

Six novel Bluetooth attack methods have been discovered, which were named BLUFFS (Bluetooth Forward...

Google Workspace’s Design Flaw Allows Attacker Unauthorized Access

Recent years saw a surge in cloud tech adoption, highlighting the efficiency through tools...

Serial ‘SIM Swapper’ Sentenced to Eight Years in Prison

In a digital age marred by deceit, 25-year-old Amir Hossein Golshan stands as a...

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable to Takeover – Hunters

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 - A severe design flaw...

Hackers Behind High-Profile Ransomware Attacks on 71 Countries Arrested

Hackers launched ransomware attacks to extort money from the following two entities by encrypting...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles