Two of the zero-day Windows flaws patched by Microsoft as part of its Patch Tuesday update earlier this week were weaponized by an Israel-based company called Candiru in a series of “precision attacks” to hack more than 100 journalists, academics, activists, and political dissidents globally.
The spyware vendor was also formally identified as the commercial surveillance company that Google’s Threat Analysis Group (TAG) revealed as exploiting multiple zero-day vulnerabilities in Chrome browser to target victims located in Armenia, according to a report published by the University of Toronto’s Citizen Lab.
“Candiru‘s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” Citizen Lab researchers said. “This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services.”
Founded in 2014, the private-sector offensive actor (PSOA) — codenamed “Sourgum” by Microsoft — is said to be the developer of an espionage toolkit dubbed DevilsTongue that’s exclusively sold to governments and is capable of infecting and monitoring a broad range of devices across different platforms, including iPhones, Androids, Macs, PCs, and cloud accounts.
Citizen Lab said it was able to recover a copy of Candiru’s Windows spyware after obtaining a hard drive from “a politically active victim in Western Europe,” which was then reverse engineered to identify two never-before-seen Windows zero-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771 that were leveraged to install malware on victim boxes.
The infection chain relied on a mix of browser and Windows exploits, with the former served via single-use URLs sent to targets on messaging applications such as WhatsApp. Microsoft addressed both the privilege escalation flaws, which enable an adversary to escape browser sandboxes and gain kernel code execution, on July 13.
The intrusions culminated in the deployment of DevilsTongue, a modular C/C++-based backdoor equipped with a number of capabilities, including exfiltrating files, exporting messages saved in the encrypted messaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers.
Microsoft’s analysis of the digital weapon also found that it could abuse the stolen cookies from logged-in email and social media accounts like Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte to collect information, read the victim’s messages, retrieve photos, and even send messages on their behalf, thus allowing the threat actor to send malicious links directly from a compromised user’s computer.
Separately, the Citizen Lab report also tied the two Google Chrome vulnerabilities disclosed by the search giant on Wednesday — CVE-2021-21166 and CVE-2021-30551 — to the Tel Aviv company, noting overlaps in the websites that were used to distribute the exploits.
Furthermore, 764 domains linked to Candiru’s spyware infrastructure were uncovered, with many of the domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities. Some of the systems under their control were operated from Saudi Arabia, Israel, U.A.E., Hungary, and Indonesia.
Over 100 victims of SOURGUM’s malware have been identified to date, with targets located in Palestine, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. “These attacks have largely targeted consumer accounts, indicating Sourgum’s customers were pursuing particular individuals,” Microsoft’s General Manager of Digital Security Unit, Cristin Goodwin, said.
The latest report arrives as TAG researchers Maddie Stone and Clement Lecigne noted a surge in attackers using more zero-day exploits in their cyber offensives, in part fueled by more commercial vendors selling access to zero-days than in the early 2010s.
“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices,” Microsoft Threat Intelligence Center (MSTIC) said in a technical rundown.
“With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks,” MSTIC added.