Recent Microsoft attacks traced to secretive Israeli spyware firm

Microsoft and CitizenLab have revealed that attacks launched against two recently-patched Windows zero-days were supported by a secretive Israeli-based company that specialises in selling spyware and exploits.

Microsoft believes the vendor named Candiru, codenamed Sourgum, developed spyware dubbed DevilsTongue that unknown clients used to exploit a pair of vulnerabilities the company fixed as part of its latest wave of Patch Tuesday updates.

These are CVE-2021-31979 and CVE-2021-33771, both privilege escalation vulnerabilities that allow attackers to escape browser sandboxes and gain kernel code execution privileges. They were patched on 13 July alongside another exploited zero-day and the PrintNightmare vulnerability.

As part of its investigation, Microsoft identified at least 100 victims based across the Middle East and in the UK and Singapore, including human rights activists, journalists, political dissidents, and politicians.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices,” said Microsoft’s Threat Intelligence Centre (MSTIC). “MSTIC believes Sourgum is an Israel-based private-sector offensive actor.

“Citizen Lab asserts with high confidence that Sourgum is an Israeli company commonly known as Candiru. Third-party reports indicate Candiru produces “hacking tools [that] are used to break into computers and servers”.

Citizen Lab’s report reveals that Candiru is a mercenary spyware firm that markets ‘untraceable’ spyware exclusively to government customers, with products including systems that spy on devices and cloud accounts. Its previous customers include Saudi Arabia and the United Arab Emirates.

Candiru appears to license its spyware by the ‘number of concurrent infections’ which would reflect the high number of targets that can be under active surveillance at any one time. The fine print on a product proposal Citizen Lab analysed also suggested there’s a list of restricted countries clients cannot attack, which are the US, Russia, China, Israel, and Iran.

The company is similar in nature to NSO Group, another infamous Israeli company that developed the Pegasus spyware that its clients used to target high-profile WhatsApp accounts in 2019.

Microsoft identified DevilsTonge, the tool used to exploit the two Microsoft zero-days, as a complex, modular, multi-threaded malware written in C and C++ with novel capabilities.

Its main function resides in Dynamic Link Library files that are encrypted on disk, and only decrypted in memory, for example, meaning it’s difficult to detect. Configuration and tasking data is separate from the malware, meaning analysis is hard, while the malware has both user mode and kernel mode capabilities. The malware is also embedded with further evasion mechanisms, although Microsoft is yet to fully analyse the nature of these.

Citizen Lab also identified at least 764 domain names likely in use by Candiru and its clientele to lure victims, with many of these disguised as progressive and charitable organisations like Black Lives Matter and Amnesty International. Other domains were masquerading as media companies and civil-society themed entities.

“Candiru’s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” said Citizen Lab researchers Bill Marczak, Kristin Berdan, Bahr Abdul Razzak, and Ron Deibert.

“This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services. Many governments that are eager to acquire sophisticated surveillance technologies lack robust safeguards over their domestic and foreign security agencies. Many are characterised by poor human rights track records.”