Malware hunters at Microsoft have caught an Austrian hack-for-hire company exploiting zero-day flaws in Windows and Adobe software products in “limited and targeted attacks” against European and Central American computer users.
The company, called DSIRF, has been linked to a malware suite called ‘Subzero’ that has been deployed over the last two years via zero day exploits in Windows and Adobe’s flagship Reader software.
According to cross-team documentation from the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC), the Austrian private sector offensive actor was behind the zero-day attacks exploiting CVE-2022-22047, a recently patched security defect in the Windows Client/Server Runtime Subsystem (csrss.exe)
Microsoft patched the vulnerability in this month’s batch of patches and is urging Windows fleet administrations to “expedite deployment of the July 2022 Microsoft security updates” to protect their systems against exploits using the CVE-2022-22047 entry point.
The software giant said the Austria-based DSIRF falls into a category of cyber mercenaries that sell hacking tools or services through a variety of business models and double up by performing hack-for-hire targeted attack operations.
Based on observed attacks and news reports, Microsoft said it has evidence that DSIRF sells the Subzero malware to third parties but was also caught using its own infrastructure in some attacks, suggesting more direct involvement.
This is not the first time DSIRF has come under scrutiny for operating malware infrastructure. The company, which was established in 2016, claims to be involved in building red teaming technology but Microsoft says its investigation paints a different picture.
From the Microsoft documentation on DSIRF:
“As part of our investigation into the utility of this malware, Microsoft’s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama.
It’s important to note that the identification of targets in a country doesn’t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.
MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.”
In May this year, Microsoft response teams say they also found an Adobe Reader remote code execution (RCE) and a zero-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of the Subzero malware.
“The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit,” the company explained.
Based on DSIRF’s extensive use of additional zero-days, Microsoft believes the Adobe Reader remote code execution was indeed a zero-day exploit.
The Austrian company’s exploits are also being linked to two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) that were used in tandem with an Adobe Reader exploit (CVE-2021-28550) in 2021.
The hacker-for-hire industry has been in the spotlight all year with the big tech vendors – Microsoft, Facebook, Apple and Google – leading the pushback with research reports naming-and-shaming private mercenary hacking teams.