Remember that treasure trove of NSA cyber exploit goodies made public by the Shadow Brokers in 2017? The home of Eternal Blue and friends? Like Pandora’s box, once the lid lifted everything escaped. These were exploits for 0days, many Windows, acquired and not made known for patching to build a cyber weapons arsenal. It’s what all the cool nation states do.
Turns out that credit for the hacking tool “Jian”, an exploit for privilege escalation and full system compromise on Windows systems from XP to 8, does not go to APT31 aka Zirconium but to … a clone of Equation Group’s EpMe. This was one of four privilege escalation exploits that are part of a module. Note: APT3 were another Chinese group who availed themselves of NSA tools, before they got loose. Good time to revisit that “Lost in Translation” leak by the Shadow Brokers.
This was a major security issue for organizations that rely on secure file transfer: think legal, financial, government. At least 100 entities are victims, of which 25 have suffered “significant data theft”. Extortionist ransomware, name & shame sites.
Researchers have identified threat actors UNC2546 and UNC2582, connected to established cybercrime group FIN11 who work with the Clop ransomware operation. We’re seeing the waters get muddier and murkier when it comes to attribution, as cybercriminals work with state-backed adversaries, and offshoots develop to act one-step removed.