Epme

Vulnerability updated 5 months ago (2024-05-04T16:12:04.185Z)

Download STIX

Preview STIX

EpMe is a software vulnerability (CVE-2017-0005) that was first discovered within the Equation Group's exploit arsenal, with its existence traced back to at least 2013. The Equation Group, believed to be linked to the NSA, developed this exploit as part of their cyber toolset which also included DanderSpritz and other NtElevation exploits like ElEi, ErNi, EpMo. However, it was observed that EpMe did not support Windows 2000 according to the exploit configurations of the Equation Group. Despite being an original creation of the Equation Group, the attribution of CVE-2017-0005 was later mistakenly given to APT31 due to the latter's cloned version of the exploit. APT31, also known as Zirconium, Judgment Panda, and Red Keres, is a China-linked cyber espionage group. This group gained significant attention in 2022 when it was discovered by the Check Point Research team that they had used a tool named "Jian", a clone of the Equation Group's EpMe exploit. Interestingly, the cloned version of EpMe, Jian, was caught in the wild by Lockheed Martin’s Incident Response Team, leading to the patching of the vulnerability even before the true origins of the exploit were fully understood. The analysis of "Jian" revealed that it was a reconstructed version of the Equation Group's EpMe exploit, constructed from both the 32-bit and 64-bit versions of the original exploit. The earliest timestamp from the embedded PE of the cloned EpMe dates back to October 27, 2014. This case underscores the complexities and challenges in attributing cybersecurity incidents and vulnerabilities, particularly when exploits are cloned or modified by different threat actors.

Description last updated: 2024-03-26T12:15:48.116Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
jian is a possible alias for Epme. Jian, a cyber espionage tool used by the China-linked APT31 group (also known as Zirconium, Judgment Panda, and Red Keres), has been implicated in multiple cyber espionage operations. The tool was first brought to public attention in 2022 when it was discovered by the Check Point Research team. Nota	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The ZIRCONIUM Threat Actor is associated with Epme. Zirconium, also known as APT31, Judgment Panda, and Red Keres, is a threat actor linked to numerous cyber espionage operations. The group came into the spotlight in 2022 when the Check Point Research team discovered that it had used a tool called "Jian," a clone of the NSA Equation Group's hacking t	Unspecified	2
The APT31 Threat Actor is associated with Epme. APT31, also known as Zirconium, is a threat actor believed to be working on behalf of China's Ministry of State Security in Wuhan. The group's primary mission, according to security vendors like Mandiant, involves gathering information from rival nations that could be of economic, military, and poli	Unspecified	2
The Equation Group Threat Actor is associated with Epme. The Equation Group is a threat actor, believed to have ties to the United States, that has been involved in numerous cyber espionage operations. The group's favorite vulnerabilities include CVE-2017-0144, a Windows server message block code execution vulnerability that was leaked by another group kn	Unspecified	2
The Shadow Brokers Threat Actor is associated with Epme. The Shadow Brokers, a threat actor group, has been involved in several high-profile cybersecurity incidents. They first came into the limelight in August 2016 when they leaked tools believed to be from the Equation Group, an Advanced Persistent Threat (APT) group associated with the U.S. National Se	Unspecified	2

Source Document References

Information about the Epme Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	Securityaffairs	7 months ago	US Treasury Dep announced sanctions against members of China-linked APT31
	MITRE	2 years ago	The Story of Jian - How APT31 Stole and Used an Unknown Equation Group 0-Day - Check Point Research