Cybersecurity experts have shared details about a mercenary spyware vendor that exploited at least a couple of zero-day vulnerabilities, which Microsoft patched in the July Patch Tuesday.
Security experts from Microsoft Threat Intelligence Center (MSTIC) worked together with internet watchdog Citizen Lab to blow the lid off the Israel-based mercenary spyware company, Candiru, which sells spyware exploit toolkits exclusively to governments.
“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices. With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves,” observes MSTIC in a blog post.
- Protect your devices with these best antivirus software
- Here are the best ransomware protection tools
- Also check our list of the best endpoint protection tools
While Citizen Lab directly identifies Candiru as the toolkit author, Microsoft has chosen to refer to it by its code-name Sourgum.
Targeted spyware
MSTIC and Citizen Lab say that Candiru/Sourgum used the zero-day vulnerability to craft a malware dubbed DevilsTounge.
According to their investigation, DevilTounge infected at least a hundred human rights defenders, dissidents, journalists, activists, and politicians in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore.
Citizen Lab identified a politically active victim in Western Europe and worked with it to recover a copy of DevilsTounge, which led to the discovery of the now-patched privilege escalation vulnerabilities, specifically tracked as CVE-2021-31979 and CVE-2021-33771.
According to MSTIC’s breakdown of the spyware, in addition to standard malware capabilities including exfiltrating files, credentials, and other sensitive information, DevilsTounge is also designed to decrypt and exfiltrate conversations from the Signal messaging app, the preferred means of communication by activists to circumvent snooping.
- Here’s our list of the best patch management tools and services
