IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Recent Microsoft attacks traced to secretive Israeli spyware firm

Candiru, which trades exclusively with governments, distributed zero-day exploits for vulnerabilities patched this week

Darkened image of a hacker wearing a hoodie using computing equipment

Microsoft and CitizenLab have revealed that attacks launched against two recently-patched Windows zero-days were supported by a secretive Israeli-based company that specialises in selling spyware and exploits.

Microsoft believes the vendor named Candiru, codenamed Sourgum, developed spyware dubbed DevilsTongue that unknown clients used to exploit a pair of vulnerabilities the company fixed as part of its latest wave of Patch Tuesday updates.

These are CVE-2021-31979 and CVE-2021-33771, both privilege escalation vulnerabilities that allow attackers to escape browser sandboxes and gain kernel code execution privileges. They were patched on 13 July alongside another exploited zero-day and the PrintNightmare vulnerability.

As part of its investigation, Microsoft identified at least 100 victims based across the Middle East and in the UK and Singapore, including human rights activists, journalists, political dissidents, and politicians.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices,” said Microsoft’s Threat Intelligence Centre (MSTIC). “MSTIC believes Sourgum is an Israel-based private-sector offensive actor.

“Citizen Lab asserts with high confidence that Sourgum is an Israeli company commonly known as Candiru. Third-party reports indicate Candiru produces “hacking tools [that] are used to break into computers and servers”.

Citizen Lab’s report reveals that Candiru is a mercenary spyware firm that markets ‘untraceable’ spyware exclusively to government customers, with products including systems that spy on devices and cloud accounts. Its previous customers include Saudi Arabia and the United Arab Emirates.

Candiru appears to license its spyware by the ‘number of concurrent infections’ which would reflect the high number of targets that can be under active surveillance at any one time. The fine print on a product proposal Citizen Lab analysed also suggested there’s a list of restricted countries clients cannot attack, which are the US, Russia, China, Israel, and Iran.

The company is similar in nature to NSO Group, another infamous Israeli company that developed the Pegasus spyware that its clients used to target high-profile WhatsApp accounts in 2019.

Microsoft identified DevilsTonge, the tool used to exploit the two Microsoft zero-days, as a complex, modular, multi-threaded malware written in C and C++ with novel capabilities.

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

Its main function resides in Dynamic Link Library files that are encrypted on disk, and only decrypted in memory, for example, meaning it’s difficult to detect. Configuration and tasking data is separate from the malware, meaning analysis is hard, while the malware has both user mode and kernel mode capabilities. The malware is also embedded with further evasion mechanisms, although Microsoft is yet to fully analyse the nature of these.

Citizen Lab also identified at least 764 domain names likely in use by Candiru and its clientele to lure victims, with many of these disguised as progressive and charitable organisations like Black Lives Matter and Amnesty International. Other domains were masquerading as media companies and civil-society themed entities.

“Candiru’s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” said Citizen Lab researchers Bill Marczak, Kristin Berdan, Bahr Abdul Razzak, and Ron Deibert.

“This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services. Many governments that are eager to acquire sophisticated surveillance technologies lack robust safeguards over their domestic and foreign security agencies. Many are characterised by poor human rights track records.”

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download


Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021
Bahrain targets activists with NSO's Pegasus spyware

Bahrain targets activists with NSO's Pegasus spyware

24 Aug 2021

Most Popular

16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022