Israeli company helped governments target journalists, activists with 0-Days and spyware



[ad_1]

Israeli spy software

Two of the Windows zero-day flaws Microsoft corrected as part of its Patch Tuesday update earlier this week were militarized by an Israeli company called Candiru in a series of “precision attacks” to hack more than 100 journalists, academics, activists, and political dissidents around the world.

The spyware vendor has also been officially identified as the commercial surveillance company that Google’s Threat Analysis Group (TAG) has revealed to exploit several zero-day vulnerabilities in the Chrome browser to target victims located in Armenia, according to a report published by the Citizen Lab at the University of Toronto. .

“Candiru’s apparent widespread presence and the use of its surveillance technology against global civil society is a powerful reminder that the mercenary spyware industry contains many players and is subject to widespread abuse,” the officials said. Citizen Lab researchers. “This case demonstrates, once again, that in the absence of international guarantees or strict government export controls, spyware vendors will sell to government customers who routinely abuse their services.”

Stack Overflow Teams

Founded in 2014, the offensive private sector actor (PSOA) – named “Sourgum” by Microsoft – is said to be the developer of a spy toolkit dubbed DevilsTongue, sold exclusively to governments and capable of infecting and monitoring a wide range of devices. on different platforms including iPhones, Android, Macs, PCs, and cloud accounts.

Citizen Lab said it was able to recover a copy of Candiru’s Windows spyware after obtaining a hard drive from a “politically active victim in Western Europe,” which was then reverse engineered to identify two never-before-seen Windows zero-day exploits for vulnerabilities. tracked like CVE-2021-31979 and CVE-2021-33771 which have been exploited to install malware on victims’ mailboxes.

The chain of infection relied on a mix of browser and Windows exploits, the former served through one-time URLs sent to targets on messaging apps like WhatsApp. Microsoft fixed two elevation of privilege flaws, which allow an adversary to evade browser sandboxes and obtain kernel code execution on July 13.

The intrusions resulted in the deployment of DevilsTongue, a modular C / C ++-based backdoor with many features including file exfiltration, exporting messages saved in the Signal encrypted messaging app, and cookie theft and passwords for Chrome, Internet Explorer, Firefox. , Safari and Opera browsers.

Microsoft’s analysis of the digital weapon also revealed that it could abuse cookies stolen from connected email and social network accounts like Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki and Vkontakte to collect information. , read victim’s messages, retrieve photos and even send messages on their behalf, allowing the threat author to send malicious links directly from a compromised user’s computer.

Separately, the Citizen Lab report also linked the two Google Chrome vulnerabilities disclosed by the search giant on Wednesday – CVE-2021-21166 and CVE-2021-30551 – to the Tel Aviv-based company, noting overlaps in websites. which were used to distribute the exploits.

Prevent ransomware attacks

In addition, 764 domains related to Candiru’s spyware infrastructure have been discovered, with many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media and media companies. ‘other entities on the subject of civil society. Some of the systems under their control were operated from Saudi Arabia, Israel, the United Arab Emirates, Hungary and Indonesia.

More than 100 victims of the SOURGUM malware have been identified to date, with targets located in Palestine, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia and Singapore. “These attacks have largely targeted consumer accounts, indicating that Sourgum’s customers are pursuing specific individuals,” said Cristin Goodwin, general manager of Microsoft’s digital security unit.

The latest report comes as TAG researchers Maddie Stone and Clement Lecigne have noted an increase in the number of attackers using more zero-day exploits in their cyber offensives, in part fueled by a greater number of vendors. commercials selling zero-day access only in the early 2010s.

“Offensive private sector actors are private companies that manufacture and sell cyber weapons in hack-as-a-service packages, often to government agencies around the world, to hack into computers, phones, network infrastructure and more. ‘other devices from their targets. Microsoft Threat Intelligence Center (MSTIC) said in a technical overview.

“With these hacking packages, government agencies typically choose the targets and execute the operations themselves. The tools, tactics and procedures used by these companies only add to the complexity, scale and sophistication of the business. attacks, ”MSTIC added.



[ad_2]

Source link