Microsoft, Google and Citizen Lab break the veil on spyware exploiting zero-day bugs sold to governments • The Register



Analysis Microsoft’s software patches this week shut down two spyware-exploited vulnerabilities allegedly sold to governments by Israeli developer Candiru.

On Thursday, Citizen Lab released a report fingering Candiru as the maker of the Spy Toolkit, a Microsoft outfit codenamed Sourgum. It is understood that the spyware, named DevilsTongue by Microsoft, exploited at least a pair of zero-day vulnerabilities in Windows to infect particular target machines.

Redmond said at least 100 people – politicians, human rights activists and journalists, academics, embassy workers and political dissidents – have had their systems infiltrated by the Burgum Code; about half are in Palestine, and the rest are in Israel, Iran, Lebanon, Yemen, Spain, UK, Turkey, Armenia and Singapore.

Once it completely compromises a Windows PC, DevilsTongue can exfiltrate victim’s files, get their login credentials for online and network accounts, spy on chat messages, and more. Candiru also touts spyware that can infect and monitor iPhones, Android devices, and Macs, as well as Windows PCs, it is claimed. The products are said to be on sale to government agencies and other organizations, who then use the spy software against their chosen targets.

“Candiru’s apparent widespread presence, and the use of its surveillance technology against global civil society, is a powerful reminder that the mercenary spyware industry contains many players and is subject to widespread abuse,” he said. said Citizen Lab, which is part of the University of Toronto. his report.

“This case demonstrates, once again, that in the absence of international guarantees or strict government export controls, spyware vendors will sell to government customers who regularly abuse their services.”

We are told that at least 764 domain names were found which were likely used in some way or another to transmit Candiru’s malware to victims: websites using these domains have generally masqueraded as legitimate sites owned by Amnesty International and refugee organizations, the United Nations, government websites, the media and Black Lives Matter communities. The idea is, it seems, to lure visitors to web pages that exploit browser, Microsoft Office and Windows bugs not only to infect PCs with DevilsTongue, but also to grant level access. spyware administrator.

How is this patch going?

Microsoft was able to correct operating system flaws exploited by Candiru’s software in this month’s Patch Tuesday after Citizen Lab obtained a hard drive from a “politically active victim in Western Europe,” he said. -he declares. Redmond reverse engineered spyware to understand the infection process.

Windows goliath has found that two privilege escalation vulnerabilities, CVE-2021-31979 and CVE-2021-33771, were being exploited and corrected them this week.

“The decommissioned weapons were used in precision attacks targeting more than 100 victims around the world, including politicians, human rights activists, journalists, academics, embassy workers and political dissidents. mentionned Cristin Goodwin, Managing Director of Microsoft’s Digital Security Unit.

At Redmond technical overview spyware, it said that DevilsTongue malware would gain a foothold on a system by exploiting loopholes, for example, in a user’s browser when visiting a tricked site, and then using the aforementioned elevation of privilege holes to enter the core and gain full control of the box.

The nasty software, once on a Windows PC, is capable of collecting all browser session cookies and passwords, and can take over social media accounts and third-party applications. It included several new features designed to avoid detection, which led Microsoft to conclude that “developers are very professional, have extensive experience writing Windows malware, and have a good understanding of operational security.”

Chocolate Factory arrives, warns it’s not over

Google, meanwhile, this week detailed a bunch of bugs it found were exploited by malicious web pages and documents to obtain code execution on internet users’ machines.

It looks like DevilsTongue is being exploited CVE-2021-21166 and CVE-2021-30551 in Chrome, and CVE-2021-33742 in Internet Explorer’s MSHTML scripting engine – used by Microsoft Office, for example – and chained them with the above Windows bugs to install on the victim’s PC and gain administrator level access to data and to applications. All a victim would have to do is navigate to a tricked page in Chrome or open a maliciously crafted document in Office.

These flaws have already been corrected. “Based on our analysis, we believe that the Chrome and Internet Explorer exploits… were developed and sold by the same vendor providing monitoring capabilities to customers around the world,” noted Googlers Maddie Stone and Clement Lecigne, adding : “Citizen Lab released a report linking activity to spyware vendor Candiru.”

Google has also documented an unrelated remote code execution flaw in Safari’s Webkit engine for good measure.

We are told that Chrome’s flaws have been spotted and exploited to requisition Windows computers in Armenia. Brands would be drawn to websites that analyzed their screen resolution, time zone, supported languages, browser plugins, and available MIME types to decide whether or not to compromise their browser.

“This information was collected by attackers to decide whether or not an exploit should be delivered to the target,” Google’s Threat Analysis Group (TAG) said. “Using the correct configurations, we were able to recover two zero-day exploits. “

Further investigation revealed that Armenian Windows users were targeted through the aforementioned Internet Explorer flaw. This would be triggered by opening an Office document containing either a malicious ActiveX object or a VBA macro. Microsoft fixed this problem last month.

Make it rain

Candiru has been operational since 2014 and reminds us of another Israeli surveillance equipment: NSO Group. It’s a lucrative business, judging by a contract obtained by Citizen Lab.

The deal, valued at 16.85 million euros ($ 20 million), offers unlimited malware injection attempts, but only the ability to directly monitor ten devices in a country. An additional 1.5 million euros ($ 1.8 million) gives access to 15 more devices, and for 5.5 million euros ($ 6.5 million) buyers can snoop on 25 combined in up to five countries.

There are also optional paid extras to access specific accounts. If you want Signal messages from a target, it will cost you an additional € 500,000 ($ 590,000). Candiru also offers access to a victim’s Twitter, Viber, and WeChat for about half that amount. Training for four administrators and eight operators is included in the price.

Citizen Lab said Candiru appears to have changed its name five times in the past seven years and maintains a very low profile. An ex-employee sue the company for loss of commission claimed he had $ 30 million in revenue in 2017, and business is good thanks to the organization’s export license.

“The Israeli Defense Ministry – whose Israel-based companies like Candiru must receive an export license before selling overseas – has so far been reluctant to subject surveillance companies to the type of rigorous scrutiny that would be necessary to prevent abuses of the kind that we and other organizations have identified, ”Citizen Lab said.

“The export licensing process in this country is almost entirely opaque, lacking even the most basic measures of public accountability or transparency.”

One wonders how this spyware would fly in America. Facebook is suing the NSO group, accusing it of illegally compromising users’ phones to snoop on them through a security breach in WhatsApp.

Lawyers for NSO have used a variety of legal arguments, claiming that it only licenses its software to governments for criminal or counterterrorism purposes and therefore enjoys sovereign immunity, which it does not was not present in the US market, and claiming that Facebook itself had attempted to buy the company’s Pegasus snoopware, but was refused. At one point, NSO didn’t even bother to show up in court.

The case is ongoing. US Senator Ron Wyden (D-OR) has called for an investigation into the NSO products touted by law enforcement. ®


Leave A Reply

Your email address will not be published.