Buckeye group, the alleged hacking team composed of Chinese nationals were implicated by Symantec as the one behind the massive exploitation of a zero-day Windows critical security vulnerability which was only patched by Redmond last March 2019. In fact, Symantec claims that this alleged Chinese hacking team got a hold of the same Equation Group tools earlier than the infamous Shadow Brokers. Equation Group tools were specialized cyber espionage instruments, which included the EternalBlue exploit that NSA was hiding for many years until it got leaked to Shadow Brokers.
Also, known as the APT3 Gothic Panda espionage team, Buckeye was already using the leaked tools even before the infamous use of it by Shadow Brokers. The former was apparently responsible for the proliferation of new variant of Backdoor.DoublePulsar malware, using another exploit tool that was part of Equation Group tools named Trojan.Bemstour.
“The zero-day vulnerability allows for the leaking of information and can be exploited in conjunction with other vulnerabilities to attain remote kernel code execution. It was reported by Symantec to Microsoft in September 2018 and was patched on March 12, 2019. How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown. Buckeye disappeared in mid-2017 and three alleged members of the group were indicted in the U.S. in November 2017,” explained Symantec Security Response Attack Investigation Team in their official blog.
From the investigation conducted by Symantec, the first appearance of Bemstour exploit trojan since September 2016. The Buckeye group first targeted Hong Kong, only compatible against 32-bit Windows at first, but was later updated to also add 64-bit Windows compatibility.
“When used against 32-bit targets, Bemstour still delivered the same DoublePulsar backdoor. However, against 64-bit targets it delivered only the custom payload. The attackers typically used it to execute shell commands that created new user accounts. Development of Bemstour has continued into 2019. The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23, 2019, eleven days after the zero-day vulnerability was patched by Microsoft. The purpose of all the attacks was to acquire a persistent presence on the victim’s network, meaning information theft was the most likely motive of the attacks,” added Symantec Security Response Attack Investigation Team.
CVE-2019-0703 and CVE-2017-0143 document the two main vulnerabilities exploited by Buckeye group. Both of which were fixed by Microsoft’s MS17-010, unfortunately not everyone installs the Windows Updates fast enough in order to mitigate the problem.
“There are multiple possibilities as to how Buckeye obtained Equation Group tools before the Shadow Brokers leak. Based on the timing of the attacks and the features of the tools and how they are constructed, one possibility is that Buckeye may have engineered its own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack. Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye,” concluded Symantec Security Response Attack Investigation Team.