Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Catches Austrian Company Exploiting Windows, Adobe Zero-Days

Malware hunters at Microsoft have caught an Austrian hack-for-hire company exploiting zero-day flaws in Windows and Adobe software products in “limited and targeted attacks” against European and Central American computer users.

Malware hunters at Microsoft have caught an Austrian hack-for-hire company exploiting zero-day flaws in Windows and Adobe software products in “limited and targeted attacks” against European and Central American computer users.

The company, called DSIRF, has been linked to a malware suite called ‘Subzero’ that has been deployed over the last two years via zero day exploits in Windows and Adobe’s flagship Reader software. 

According to cross-team documentation from the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC), the Austrian private sector offensive actor was behind the zero-day attacks exploiting CVE-2022-22047, a recently patched security defect in the Windows Client/Server Runtime Subsystem (csrss.exe)

Microsoft patched the vulnerability in this month’s batch of patches and is urging Windows fleet administrations to “expedite deployment of the July 2022 Microsoft security updates” to protect their systems against exploits using the CVE-2022-22047 entry point.

[ READ: Patch Tuesday: 84 Windows Vulns, Including Exploited Zero-Day ]

The software giant said the Austria-based DSIRF falls into a category of cyber mercenaries that sell hacking tools or services through a variety of business models and double up by performing hack-for-hire targeted attack operations.

Based on observed attacks and news reports, Microsoft said it has evidence that DSIRF sells the Subzero malware to third parties but was also caught using its own infrastructure in some attacks, suggesting more direct involvement.

This is not the first time DSIRF has come under scrutiny for operating malware infrastructure. The company, which was established in 2016, claims to be involved in building red teaming technology but Microsoft says its investigation paints a different picture.

Advertisement. Scroll to continue reading.

From the Microsoft documentation on DSIRF:

“As part of our investigation into the utility of this malware, Microsoft’s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. 


It’s important to note that the identification of targets in a country doesn’t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.


MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.”

In May this year, Microsoft response teams say they also found an Adobe Reader remote code execution (RCE) and a zero-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of the Subzero malware.

[ READ: European Lawmaker Targeted With Cytrox Predator Surveillance Spyware ]

“The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit,” the company explained.

Based on DSIRF’s extensive use of additional zero-days, Microsoft believes the Adobe Reader remote code execution was indeed a zero-day exploit. 

The Austrian company’s exploits are also being linked to two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) that were used in tandem with an Adobe Reader exploit (CVE-2021-28550) in 2021.

The hacker-for-hire industry has been in the spotlight all year with the big tech vendors – Microsoft, Facebook, Apple and Google – leading the pushback with research reports naming-and-shaming private mercenary hacking teams.

Related: Citizen Lab Exposes Cytrox as Vendor Behind ‘Predator’ iPhone Spyware

Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days 

Related: Patch Tuesday: 84 Windows Vulns, Including Already-Exploited Zero-Day

Related: Apple Adds ‘Lockdown Mode’ to Thwart .Gov Mercenary Spyware

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...