UPSynergy: Chinese-American Spy vs Spy Story (Sep 5, 2019)
Checkpoint researchers analyzed the “Bemstour” exploitation tool used by the China-based Advanced Persistent Threat (APT), “APT3,” and were able to confirm that the group “recreated its own version of an Equation group exploit using captured network traffic.” This suggestion was first introduced by Symantec, and now Checkpoint believes that APT3 already had access to a network that was attacked by the Equation Group. The Equation Group is believed to be a US-based group who had variants of their tools publicly released by a group called “The Shadow Brokers” in 2017. APT3 incorporated an exploit from the Equation Group leak into Bemstour. The exploit, found to be an equivalent to EternalRomace, was attempted to be augmented to affect different Windows versions which “required looking for an additional 0-day that provided them with a kernel information leak.” Such analysis show the sophistication of APT3 and the lengths APT groups undertake to acquire new tools to conduct malicious activity.
Recommendation: This research emphasis the importance of patch maintenance and awareness of which groups may attack your company, depending on sector and geographical location. Awareness of such groups can assist in identifying potential malicious behaviour based on a group Tactics, Techniques, and Procedures (APT) and known malware and tools. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.