Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Catches Austrian Company Exploiting Windows, Adobe Zero-Days

Malware hunters at Microsoft have caught an Austrian hack-for-hire company exploiting zero-day flaws in Windows and Adobe software products in “limited and targeted attacks” against European and Central American computer users.

Malware hunters at Microsoft have caught an Austrian hack-for-hire company exploiting zero-day flaws in Windows and Adobe software products in “limited and targeted attacks” against European and Central American computer users.

The company, called DSIRF, has been linked to a malware suite called ‘Subzero’ that has been deployed over the last two years via zero day exploits in Windows and Adobe’s flagship Reader software. 

According to cross-team documentation from the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC), the Austrian private sector offensive actor was behind the zero-day attacks exploiting CVE-2022-22047, a recently patched security defect in the Windows Client/Server Runtime Subsystem (csrss.exe)

Microsoft patched the vulnerability in this month’s batch of patches and is urging Windows fleet administrations to “expedite deployment of the July 2022 Microsoft security updates” to protect their systems against exploits using the CVE-2022-22047 entry point.

[ READ: Patch Tuesday: 84 Windows Vulns, Including Exploited Zero-Day ]

The software giant said the Austria-based DSIRF falls into a category of cyber mercenaries that sell hacking tools or services through a variety of business models and double up by performing hack-for-hire targeted attack operations.

Based on observed attacks and news reports, Microsoft said it has evidence that DSIRF sells the Subzero malware to third parties but was also caught using its own infrastructure in some attacks, suggesting more direct involvement.

This is not the first time DSIRF has come under scrutiny for operating malware infrastructure. The company, which was established in 2016, claims to be involved in building red teaming technology but Microsoft says its investigation paints a different picture.

From the Microsoft documentation on DSIRF:

“As part of our investigation into the utility of this malware, Microsoft’s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. 


It’s important to note that the identification of targets in a country doesn’t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.


MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.”

In May this year, Microsoft response teams say they also found an Adobe Reader remote code execution (RCE) and a zero-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of the Subzero malware.

[ READ: European Lawmaker Targeted With Cytrox Predator Surveillance Spyware ]

“The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit,” the company explained.

Based on DSIRF’s extensive use of additional zero-days, Microsoft believes the Adobe Reader remote code execution was indeed a zero-day exploit. 

The Austrian company’s exploits are also being linked to two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) that were used in tandem with an Adobe Reader exploit (CVE-2021-28550) in 2021.

The hacker-for-hire industry has been in the spotlight all year with the big tech vendors – Microsoft, Facebook, Apple and Google – leading the pushback with research reports naming-and-shaming private mercenary hacking teams.

Related: Citizen Lab Exposes Cytrox as Vendor Behind ‘Predator’ iPhone Spyware

Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days 

Related: Patch Tuesday: 84 Windows Vulns, Including Already-Exploited Zero-Day

Related: Apple Adds ‘Lockdown Mode’ to Thwart .Gov Mercenary Spyware

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.