Security Experts:

Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

A secretive Israeli commercial surveillance company named after a parasitic freshwater fish is being blamed for supplying Windows and Chrome zero-day exploits to nation-state APT actors.

According to separate reports released simultaneously by Microsoft and Citizen Lab, the Tel Aviv-based Candiru has been caught supplying high-end spyware capable of hijacking data from Windows PCs, Macs, iPhones and Android devices.

The two reports come less than 24 hours after Google’s Threat Analysis Group (TAG) documented four separate zero-day exploits in Chrome, Internet Explorer, and Webkit (Safari) that were created and sold by Candiru to government-backed attackers.

Exploit code from the mysterious Candiru was first observed in .gov hacking operations in Uzbekistan back in 2019 but the company has stayed under the radar while supplying its commercial hacking packages to compromise targets ranging from journalists, politicians, activists and dissidents.

The Citizen Lab report, titled Hooking Candiru, documents how the research outfit scanned the internet and found more than 750 websites linked to Candiru’s spyware infrastructure.  

[ Related: Microsoft Patches 3 Under-Attack Windows Zero-Days ]

Citizen Lab described Candiru as a “mercenary spyware firm” marketing untraceable surveillance software tools to government customers.  The Citizen Lab research team found that Candiru underwent multiple name changes over the years as part of attempts to mask its operations, infrastructure and staff identities.

The company’s exploits have been linked to nation-state malware attacks observed in Uzbekistan, Saudi Arabia and the United Arab Emirates (UAE), Singapore and Qatar.

Citizen Lab provided technical proof of the Candiru Windows spyware capabilities, including the ability to exfiltrate files from the popular encrypted messaging app Signal, and features to steal cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers.

Microsoft’s Threat Intelligence Center (MSTIC) released its own report on Candiru, aka SOURGUM, describing the company as a “private-sector offensive” actor in the business of hawking and using Windows zero-day exploits.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices,” Microsoft said, warning that these mercenary operations “only adds to the complexity, scale, and sophistication of attacks.” 

[ Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021 ]

The Redmond, Wash. software giant confirmed it partnered with Citizen Lab on a project to disable a malware attack by Candiru that targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents.

Microsoft named the malware DevilsTongue and said victims were scattered around the Palestinian Authority, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore.

Redmond’s threat hunters found Candiru using a chain of browser and Windows exploits to plant malware on targeted victims.  The browser exploits were distributed via single-use URLs sent via WhatsApp messages.

From Microsoft’s report:

"During the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771, both of which have been fixed in the July 2021 security updates. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution. If customers have taken the July 2021 security update, they are protected from these exploits."

Earlier this week, Microsoft’s Patch Tuesday bundle included urgent fixes for a pair of Windows kernel privilege escalation flaws that are now being linked to the Candiru operation.

According to Cristin Goodwin, General Manager in Microsoft’s Digital Security Unit, Candiru is in the business of manufacturing and selling “cyberweapons” to be used in precision attacks targeting consumer accounts.

“This is part of broader legal, technical and advocacy work we’re undertaking to address the dangers caused when [private sector offensive actors] build and sell weapons,” Goodwin said, warning that these companies “increase the risk that weapons fall into the wrong hands and threaten human rights.” 

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days 

Related: MS Patch Tuesday: NSA Reports New Critical Exchange Flaws

Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021

Related: Patch Tuesday: Microsoft Warns of Under-Attack Windows Kernel

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.