Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

A secretive Israeli commercial surveillance company named after a parasitic freshwater fish is being blamed for supplying Windows and Chrome zero-day exploits to nation-state APT actors.

A secretive Israeli commercial surveillance company named after a parasitic freshwater fish is being blamed for supplying Windows and Chrome zero-day exploits to nation-state APT actors.

According to separate reports released simultaneously by Microsoft and Citizen Lab, the Tel Aviv-based Candiru has been caught supplying high-end spyware capable of hijacking data from Windows PCs, Macs, iPhones and Android devices.

The two reports come less than 24 hours after Google’s Threat Analysis Group (TAG) documented four separate zero-day exploits in Chrome, Internet Explorer, and Webkit (Safari) that were created and sold by Candiru to government-backed attackers.

Exploit code from the mysterious Candiru was first observed in .gov hacking operations in Uzbekistan back in 2019 but the company has stayed under the radar while supplying its commercial hacking packages to compromise targets ranging from journalists, politicians, activists and dissidents.

The Citizen Lab report, titled Hooking Candiru, documents how the research outfit scanned the internet and found more than 750 websites linked to Candiru’s spyware infrastructure.  

[ Related: Microsoft Patches 3 Under-Attack Windows Zero-Days ]

Citizen Lab described Candiru as a “mercenary spyware firm” marketing untraceable surveillance software tools to government customers.  The Citizen Lab research team found that Candiru underwent multiple name changes over the years as part of attempts to mask its operations, infrastructure and staff identities.

The company’s exploits have been linked to nation-state malware attacks observed in Uzbekistan, Saudi Arabia and the United Arab Emirates (UAE), Singapore and Qatar.

Advertisement. Scroll to continue reading.

Citizen Lab provided technical proof of the Candiru Windows spyware capabilities, including the ability to exfiltrate files from the popular encrypted messaging app Signal, and features to steal cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers.

Microsoft’s Threat Intelligence Center (MSTIC) released its own report on Candiru, aka SOURGUM, describing the company as a “private-sector offensive” actor in the business of hawking and using Windows zero-day exploits.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices,” Microsoft said, warning that these mercenary operations “only adds to the complexity, scale, and sophistication of attacks.” 

[ Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021 ]

The Redmond, Wash. software giant confirmed it partnered with Citizen Lab on a project to disable a malware attack by Candiru that targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents.

Microsoft named the malware DevilsTongue and said victims were scattered around the Palestinian Authority, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore.

Redmond’s threat hunters found Candiru using a chain of browser and Windows exploits to plant malware on targeted victims.  The browser exploits were distributed via single-use URLs sent via WhatsApp messages.

From Microsoft’s report:

“During the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771, both of which have been fixed in the July 2021 security updates. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution. If customers have taken the July 2021 security update, they are protected from these exploits.”

Earlier this week, Microsoft’s Patch Tuesday bundle included urgent fixes for a pair of Windows kernel privilege escalation flaws that are now being linked to the Candiru operation.

According to Cristin Goodwin, General Manager in Microsoft’s Digital Security Unit, Candiru is in the business of manufacturing and selling “cyberweapons” to be used in precision attacks targeting consumer accounts.

“This is part of broader legal, technical and advocacy work we’re undertaking to address the dangers caused when [private sector offensive actors] build and sell weapons,” Goodwin said, warning that these companies “increase the risk that weapons fall into the wrong hands and threaten human rights.” 

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days 

Related: MS Patch Tuesday: NSA Reports New Critical Exchange Flaws

Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021

Related: Patch Tuesday: Microsoft Warns of Under-Attack Windows Kernel

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...