Recent Microsoft attacks traced to secretive Israeli spyware firm

Candiru, which trades exclusively with governments, distributed zero-day exploits for vulnerabilities patched this week

Darkened image of a hacker wearing a hoodie using computing equipment

Microsoft and CitizenLab have revealed that attacks launched against two recently-patched Windows zero-days were supported by a secretive Israeli-based company that specialises in selling spyware and exploits.

Microsoft believes the vendor named Candiru, codenamed Sourgum, developed spyware dubbed DevilsTongue that unknown clients used to exploit a pair of vulnerabilities the company fixed as part of its latest wave of Patch Tuesday updates.

These are CVE-2021-31979 and CVE-2021-33771, both privilege escalation vulnerabilities that allow attackers to escape browser sandboxes and gain kernel code execution privileges. They were patched on 13 July alongside another exploited zero-day and the PrintNightmare vulnerability.

As part of its investigation, Microsoft identified at least 100 victims based across the Middle East and in the UK and Singapore, including human rights activists, journalists, political dissidents, and politicians.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices,” said Microsoft’s Threat Intelligence Centre (MSTIC). “MSTIC believes Sourgum is an Israel-based private-sector offensive actor.

“Citizen Lab asserts with high confidence that Sourgum is an Israeli company commonly known as Candiru. Third-party reports indicate Candiru produces “hacking tools [that] are used to break into computers and servers”.

Citizen Lab’s report reveals that Candiru is a mercenary spyware firm that markets ‘untraceable’ spyware exclusively to government customers, with products including systems that spy on devices and cloud accounts. Its previous customers include Saudi Arabia and the United Arab Emirates.

Candiru appears to license its spyware by the ‘number of concurrent infections’ which would reflect the high number of targets that can be under active surveillance at any one time. The fine print on a product proposal Citizen Lab analysed also suggested there’s a list of restricted countries clients cannot attack, which are the US, Russia, China, Israel, and Iran.

The company is similar in nature to NSO Group, another infamous Israeli company that developed the Pegasus spyware that its clients used to target high-profile WhatsApp accounts in 2019.

Microsoft identified DevilsTonge, the tool used to exploit the two Microsoft zero-days, as a complex, modular, multi-threaded malware written in C and C++ with novel capabilities.

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

Its main function resides in Dynamic Link Library files that are encrypted on disk, and only decrypted in memory, for example, meaning it’s difficult to detect. Configuration and tasking data is separate from the malware, meaning analysis is hard, while the malware has both user mode and kernel mode capabilities. The malware is also embedded with further evasion mechanisms, although Microsoft is yet to fully analyse the nature of these.

Citizen Lab also identified at least 764 domain names likely in use by Candiru and its clientele to lure victims, with many of these disguised as progressive and charitable organisations like Black Lives Matter and Amnesty International. Other domains were masquerading as media companies and civil-society themed entities.

“Candiru’s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” said Citizen Lab researchers Bill Marczak, Kristin Berdan, Bahr Abdul Razzak, and Ron Deibert.

“This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services. Many governments that are eager to acquire sophisticated surveillance technologies lack robust safeguards over their domestic and foreign security agencies. Many are characterised by poor human rights track records.”

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021
Bahrain targets activists with NSO's Pegasus spyware
spyware

Bahrain targets activists with NSO's Pegasus spyware

24 Aug 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

UK spy agencies supercharge espionage efforts with AWS data deal
cloud computing

UK spy agencies supercharge espionage efforts with AWS data deal

26 Oct 2021
Cryptocurrency: Should you invest?
cryptocurrencies

Cryptocurrency: Should you invest?

27 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021