



This week’s Microsoft Analysis Software patch closed two vulnerabilities exploited by spyware allegedly sold to the government by Israeli developer Candiru.

Citizen Lab released a report Thursday that Microsoft codenamed Sourgum named Candiru as the maker of the spy toolkit. It is understood by Microsoft that spyware, codenamed Devils Tongue, has exploited at least a pair of Windows zero-day holes to infect a specific target machine.

At least 100 people, from politicians, human rights activists and journalists to scholars, embassies and dissidents, have infiltrated the system with the Sourgum code, Redmond said. About half are in Palestine and the rest are scattered in Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia and Singapore.

If a Windows PC is comprehensively compromised, Devils Tongue can steal victims’ files, obtain login credentials for online and network accounts, snoop chat messages, and more. Candiru also claims to market spyware that can infect and monitor iPhones, Android devices, Macs, and Windows PCs. These products are said to be sold to government agencies and other organizations, which use spy software against selected targets.

Citizen Lab, part of the University of Toronto, said, “The apparent widespread presence of Candillas and the use of surveillance technology against the world’s civil society has been widely abused, including many players in the mercenary spyware industry. It strongly reminds me of the tendency. ” That report.

“This case shows that spyware vendors sell to government clients who routinely abuse services in the absence of international safeguards and strong government export controls.”

It is said that at least 764 domain names have been found that may have been used in some way to push Candiru malware to victims. Websites that use these domains have usually spoofed legitimate sites that belong to Amnesty International, refugee organizations, the United Nations, and government websites. The press, and the Black Lives Matter community. The idea seems to be to direct visitors to web pages that exploit bugs in browsers, Microsoft Office, and Windows to infect PCs with Devils Tongue as well as grant administrator-level access to spyware. is.

How about that patch?

After Citizen Lab got a hard drive from “Political Active Victims of Western Europe,” Microsoft said it was able to fix an operating system flaw exploited by Candiru’s software on patch Tuesday this month. It was. Redmond reverse engineered spyware to understand the infection process.

Windows Goliath has confirmed that two privilege escalation vulnerabilities, CVE-2021-31979 and CVE-2021-33771, have been exploited and patched them this week.

“Weapons for people with disabilities are more than 100 victims worldwide, including politicians, human rights activists, journalists, scholars, embassies, and political opponents,” said Christine Goodwin, GM of Microsoft’s Digital Security Unit. Was used for precision attacks targeting. “

In Redmond’s technical overview of spyware, DevilsTongue malware scaffolds the system, for example, by exploiting a flaw in the user’s browser when the user visits a booby trapped site and using the privilege escalation described above. States to build. A hole for entering the kernel and having full control over the box.

Once installed on your Windows PC, the nasty software can collect all session cookies and passwords from your browser, giving you control over your social media accounts and third-party apps. It has some new features designed to circumvent detection, and Microsoft said, “Developers are very professional, have extensive experience in creating Windows malware, and operational security. I fully understand. “

A chocolate factory is coming in and warns you that it’s not over

Meanwhile, this week Google elaborated on a series of bugs that it detected being exploited by malicious web pages and documents to execute code on netizen machines.

For example, Devils Tongue exploits CVE-2021-21166 and CVE-2021-30551 in Chrome and CVE-2021-33742 in Internet Explorer’s MSHTML script engine used by Microsoft Office to chain them with the Windows bugs mentioned above. It seems that it was installed. Use the victim’s PC to gain administrator-level access to data and applications. All the victim needs to do is access the booby trapped page in Chrome or open a maliciously created document in Office.

These flaws are now patched. “Based on our analysis, Chrome and Internet Explorer exploits are rated as developed and sold by the same vendor that provides monitoring capabilities to customers around the world,” said Google employees Maddie Stone and Clement Lecigne. It states as follows. A report linking activities to spyware vendor Candiru. “

Google has also properly recorded flaws in remote code execution that are not related to Safari’s Webkit engine.

A flaw in Chrome is said to have been discovered to be exploited to command Armenian Windows computers. Mark is attracted to websites that analyze screen resolutions, time zones, supported languages, browser plugins, and available MIME types to determine whether to endanger the browser.

“This information was collected by attackers to decide whether to target exploits,” said Google’s Threat Analysis Group (TAG). “We were able to recover two zero-day exploits using the proper configuration.”

Further investigation revealed that Armenian Windows users were targeted through the aforementioned Internet Explorer flaw. This is triggered by opening an Office document that contains either a malicious ActiveX object or a VBA macro. Microsoft fixed the issue last month.

Make it rain

Candiru has been in operation since 2014 and is reminiscent of the NSO Group, the costume of another Israeli surveillance device. Judging by the contracts Citizen Lab has acquired, this is a lucrative business.

The deal is worth 16.85 million ($ 20 million) and offers unlimited malware infusion attempts, but with the ability to directly monitor 10 devices in a single country. An additional 1.5 million ($ 1.8 million) will have access to another 15 devices, and 5.5 million ($ 6.5 million) buyers will be able to snoop 25 mobile phones in up to five countries.

There is also an additional charge for a paid option to access a particular account. If you want the target signal message, it costs an additional 500,000 ($ 590,000). Candiru provides victims with access to Twitter, Viber, and WeChat in about half that amount. Training for 4 managers and 8 operators is included in the price.

According to Citizen Lab, Candiru has been renamed five times in the last seven years and remains very unobtrusive. A former employee who sued the company for a loss of fees claimed that it had revenues of $ 30 million in 2017 and that the business is doing well thanks to the organization’s license.

“The Israeli Ministry of Defense, which must obtain an export license before an Israeli-based company like Candiru sells abroad, has so far used surveillance companies to prevent us and other types of abuse. It proves that it does not want to be exposed to the type of rigorous scrutiny required. The organization has identified it. “

“The country’s license process is almost completely opaque and lacks public accountability or even the most basic means of transparency.”

Some people wonder how this spyware flies in the United States. Facebook has sued the NSO Group for illegally infringing on users’ phones through WhatsApp security holes.

NSO lawyers use various legal arguments, claiming that the software is only licensed to the government for crime or counter-terrorism work, has sovereign immunity, and does not exist in the U.S. market. However, Facebook itself turned down the company’s Pegasus Snoopware. At one stage, the NSO didn’t even appear in court.

The proceedings are ongoing. US Senator Ron Wyden (D-OR) is seeking an investigation into NSO products advertised by law enforcement agencies.

