Israeli Firm Helped Governments Target Journalists
Two of the zero-day Windows flaws patched by Microsoft as part of its Patch Tuesday update earlier this week were weaponized by an Israel-based company called Candiru in a series of "precision attacks" to hack more than 100 journalists, academics, activists, and political dissidents globally.
The spyware vendor was also formally identified as the
commercial surveillance company that Google's Threat Analysis Group (TAG)
revealed as exploiting multiple zero-day vulnerabilities in Chrome browser to
target victims located in Armenia, according to a report published by the
University of Toronto's Citizen Lab.
"Candiru's apparent widespread presence, and the use of
its surveillance technology against global civil society, is a potent reminder
that the mercenary spyware industry contains many players and is prone to widespread
abuse," Citizen Lab researchers said. "This case demonstrates, yet
again, that in the absence of any international safeguards or strong government
export controls, spyware vendors will sell to government clients who will
routinely abuse their services."
Founded in 2014, the private-sector offensive actor (PSOA) —
codenamed "Sourgum" by Microsoft — is said to be the developer of an
espionage toolkit dubbed DevilsTongue that's exclusively sold to governments
and is capable of infecting and monitoring a broad range of devices across
different platforms, including iPhones, Androids, Macs, PCs, and cloud
accounts.
Citizen Lab said it was able to recover a copy of Candiru's
Windows spyware after obtaining a hard drive from "a politically active
victim in Western Europe," which was then reverse engineered to identify
two never-before-seen Windows zero-day exploits for vulnerabilities tracked as
CVE-2021-31979 and CVE-2021-33771 that were leveraged to install malware on
victim boxes.
The infection chain relied on a mix of browser and Windows
exploits, with the former served via single-use URLs sent to targets on
messaging applications such as WhatsApp. Microsoft addressed both the privilege
escalation flaws, which enable an adversary to escape browser sandboxes and
gain kernel code execution, on July 13.
The intrusions culminated in the deployment of DevilsTongue,
a modular C/C++-based backdoor equipped with a number of capabilities,
including exfiltrating files, exporting messages saved in the encrypted messaging
app Signal, and stealing cookies and passwords from Chrome, Internet Explorer,
Firefox, Safari, and Opera browsers.
Microsoft's analysis of the digital weapon also found that
it could abuse the stolen cookies from logged-in email and social media accounts
like Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte to
collect information, read the victim's messages, retrieve photos, and even send
messages on their behalf, thus allowing the threat actor to send malicious
links directly from a compromised user's computer.
Separately, the Citizen Lab report also tied the two Google
Chrome vulnerabilities disclosed by the search giant on Wednesday —
CVE-2021-21166 and CVE-2021-30551 — to the Tel Aviv company, noting overlaps in
the websites that were used to distribute the exploits.
Furthermore, 764 domains linked to Candiru's spyware
infrastructure were uncovered, with many of the domains masquerading as
advocacy organizations such as Amnesty International, the Black Lives Matter
movement, as well as media companies, and other civil-society themed entities.
Some of the systems under their control were operated from Saudi Arabia,
Israel, U.A.E., Hungary, and Indonesia.
Over 100 victims of SOURGUM's malware have been identified
to date, with targets located in Palestine, Israel, Iran, Lebanon, Yemen, Spain
(Catalonia), United Kingdom, Turkey, Armenia, and Singapore. "These
attacks have largely targeted consumer accounts, indicating Sourgum's customers
were pursuing particular individuals," Microsoft's General Manager of
Digital Security Unit, Cristin Goodwin, said.
The latest report arrives as TAG researchers Maddie Stone
and Clement Lecigne noted a surge in attackers using more zero-day exploits in
their cyber offensives, in part fueled by more commercial vendors selling
access to zero-days than in the early 2010s.
"Private-sector offensive actors are private companies
that manufacture and sell cyberweapons in hacking-as-a-service packages, often
to government agencies around the world, to hack into their targets' computers,
phones, network infrastructure, and other devices," Microsoft Threat
Intelligence Center (MSTIC) said in a technical rundown.
"With these hacking packages, usually the government
agencies choose the targets and run the actual operations themselves. The
tools, tactics, and procedures used by these companies only adds to the
complexity, scale, and sophistication of attacks," MSTIC added.
Comments
Post a Comment