Microsoft as part of its Patch on Tuesday fixed two of the zero-day Windows flaws weaponized by Candiru, an Israeli firm in a series of "precision attacks" to hack more than 100 journalists, academics, activists, and political dissidents globally.
According to a report published by the University of Toronto's Citizen Lab, the spyware vendor has also been formally identified as the commercial surveillance firm that Google's Threat Analysis Group (TAG) revealed was exploiting multiple zero-day vulnerabilities in Chrome browser to attack victims in Armenia.
"Candiru's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,"
Citizen Lab researchers stated.
"This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services."
Founded in 2014, the private-sector offensive actor (PSOA) — codenamed "Sourgum" by Microsoft — is stated to be the creator of DevilsTongue, an espionage toolkit able to infect and track a wide range of devices across multiple platforms, including iPhones, Androids, Macs, PCs, and cloud accounts.
After gaining a hard drive from "a politically active victim in Western Europe," Citizen Lab stated it was able to restore a copy of Candiru's Windows spyware, which was then reverse engineered to identify two never-before-seen Windows zero-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771 that were leveraged to install malware on victim boxes.
The infection chain used a combination of browser and Windows vulnerabilities, with the latter being transmitted through single-use URLs emailed on WhatsApp to targets. On July 13, Microsoft patched both privilege escalation issues, which allow an attacker to bypass browser sandboxes and obtain kernel code execution.
The attacks resulted in the deployment of DevilsTongue, a modular C/C++-based backdoor capable of exfiltrating files, exporting messages saved in the encrypted messaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers.
Microsoft discovered that the digital weapon could gather data, read the victim's messages, get photos, and even send messages on their behalf using stolen cookies from logged-in email and social media accounts including Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte.
Furthermore, the Citizen Lab study linked two Google Chrome vulnerabilities — CVE-2021-21166 and CVE-2021-30551 — to the Tel Aviv firm, citing similarities in the websites used to disseminate the exploits.
A total of 764 domains related to Candiru's spyware infrastructure were discovered, many of which purported to be advocacy groups such as Amnesty International, the Black Lives Matter movement, media businesses, and other civil-society-oriented enterprises.
Saudi Arabia, Israel, the United Arab Emirates, Hungary, and Indonesia were among the countries that ran systems under their authority.
According to a Microsoft report, an Israeli hacking-for-hire firm has assisted government clients in spying on more than 100 people throughout the world, including politicians, dissidents, human rights activists, diplomatic staff, and journalists.
Among other well-known news outlets, the Guardian and the Washington Post released information of what they termed "global surveillance operations" using Pegasus. The surveillance is said to be aimed at journalists and according to the claims, Pegasus malware is being used to spy on people by over ten nations.
SOURGUM's malware has so far targeted over 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore.
These attacks mostly targeted consumer accounts, implying that Sourgum's users were pursuing part of the attack.
TAG researchers Maddie Stone and Clement Lecigne noticed a rise in attackers utilizing more zero-day vulnerabilities in their cyber offensives in the early 2010s, which they attribute to more commercial vendors offering access to zero-day flaws.
Microsoft Threat Intelligence Center (MSTIC) stated in a technical rundown, "Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets' computers, phones, network infrastructure, and other devices.”
"With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only add to the complexity, scale, and sophistication of attacks," MSTIC added.
