IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Recent Microsoft attacks traced to secretive Israeli spyware firm

Candiru, which trades exclusively with governments, distributed zero-day exploits for vulnerabilities patched this week

Darkened image of a hacker wearing a hoodie using computing equipment

Microsoft and CitizenLab have revealed that attacks launched against two recently-patched Windows zero-days were supported by a secretive Israeli-based company that specialises in selling spyware and exploits.

Microsoft believes the vendor named Candiru, codenamed Sourgum, developed spyware dubbed DevilsTongue that unknown clients used to exploit a pair of vulnerabilities the company fixed as part of its latest wave of Patch Tuesday updates.

These are CVE-2021-31979 and CVE-2021-33771, both privilege escalation vulnerabilities that allow attackers to escape browser sandboxes and gain kernel code execution privileges. They were patched on 13 July alongside another exploited zero-day and the PrintNightmare vulnerability.

As part of its investigation, Microsoft identified at least 100 victims based across the Middle East and in the UK and Singapore, including human rights activists, journalists, political dissidents, and politicians.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices,” said Microsoft’s Threat Intelligence Centre (MSTIC). “MSTIC believes Sourgum is an Israel-based private-sector offensive actor.

“Citizen Lab asserts with high confidence that Sourgum is an Israeli company commonly known as Candiru. Third-party reports indicate Candiru produces “hacking tools [that] are used to break into computers and servers”.

Citizen Lab’s report reveals that Candiru is a mercenary spyware firm that markets ‘untraceable’ spyware exclusively to government customers, with products including systems that spy on devices and cloud accounts. Its previous customers include Saudi Arabia and the United Arab Emirates.

Candiru appears to license its spyware by the ‘number of concurrent infections’ which would reflect the high number of targets that can be under active surveillance at any one time. The fine print on a product proposal Citizen Lab analysed also suggested there’s a list of restricted countries clients cannot attack, which are the US, Russia, China, Israel, and Iran.

The company is similar in nature to NSO Group, another infamous Israeli company that developed the Pegasus spyware that its clients used to target high-profile WhatsApp accounts in 2019.

Microsoft identified DevilsTonge, the tool used to exploit the two Microsoft zero-days, as a complex, modular, multi-threaded malware written in C and C++ with novel capabilities.

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

Its main function resides in Dynamic Link Library files that are encrypted on disk, and only decrypted in memory, for example, meaning it’s difficult to detect. Configuration and tasking data is separate from the malware, meaning analysis is hard, while the malware has both user mode and kernel mode capabilities. The malware is also embedded with further evasion mechanisms, although Microsoft is yet to fully analyse the nature of these.

Citizen Lab also identified at least 764 domain names likely in use by Candiru and its clientele to lure victims, with many of these disguised as progressive and charitable organisations like Black Lives Matter and Amnesty International. Other domains were masquerading as media companies and civil-society themed entities.

“Candiru’s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” said Citizen Lab researchers Bill Marczak, Kristin Berdan, Bahr Abdul Razzak, and Ron Deibert.

“This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services. Many governments that are eager to acquire sophisticated surveillance technologies lack robust safeguards over their domestic and foreign security agencies. Many are characterised by poor human rights track records.”

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023