Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

A secretive Israeli commercial surveillance company named after a parasitic freshwater fish is being blamed for supplying Windows and Chrome zero-day exploits to nation-state APT actors.

A secretive Israeli commercial surveillance company named after a parasitic freshwater fish is being blamed for supplying Windows and Chrome zero-day exploits to nation-state APT actors.

According to separate reports released simultaneously by Microsoft and Citizen Lab, the Tel Aviv-based Candiru has been caught supplying high-end spyware capable of hijacking data from Windows PCs, Macs, iPhones and Android devices.

The two reports come less than 24 hours after Google’s Threat Analysis Group (TAG) documented four separate zero-day exploits in Chrome, Internet Explorer, and Webkit (Safari) that were created and sold by Candiru to government-backed attackers.

Exploit code from the mysterious Candiru was first observed in .gov hacking operations in Uzbekistan back in 2019 but the company has stayed under the radar while supplying its commercial hacking packages to compromise targets ranging from journalists, politicians, activists and dissidents.

The Citizen Lab report, titled Hooking Candiru, documents how the research outfit scanned the internet and found more than 750 websites linked to Candiru’s spyware infrastructure.  

[ Related: Microsoft Patches 3 Under-Attack Windows Zero-Days ]

Citizen Lab described Candiru as a “mercenary spyware firm” marketing untraceable surveillance software tools to government customers.  The Citizen Lab research team found that Candiru underwent multiple name changes over the years as part of attempts to mask its operations, infrastructure and staff identities.

The company’s exploits have been linked to nation-state malware attacks observed in Uzbekistan, Saudi Arabia and the United Arab Emirates (UAE), Singapore and Qatar.

Citizen Lab provided technical proof of the Candiru Windows spyware capabilities, including the ability to exfiltrate files from the popular encrypted messaging app Signal, and features to steal cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers.

Microsoft’s Threat Intelligence Center (MSTIC) released its own report on Candiru, aka SOURGUM, describing the company as a “private-sector offensive” actor in the business of hawking and using Windows zero-day exploits.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices,” Microsoft said, warning that these mercenary operations “only adds to the complexity, scale, and sophistication of attacks.” 

[ Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021 ]

The Redmond, Wash. software giant confirmed it partnered with Citizen Lab on a project to disable a malware attack by Candiru that targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents.

Microsoft named the malware DevilsTongue and said victims were scattered around the Palestinian Authority, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore.

Redmond’s threat hunters found Candiru using a chain of browser and Windows exploits to plant malware on targeted victims.  The browser exploits were distributed via single-use URLs sent via WhatsApp messages.

From Microsoft’s report:

“During the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771, both of which have been fixed in the July 2021 security updates. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution. If customers have taken the July 2021 security update, they are protected from these exploits.”

Earlier this week, Microsoft’s Patch Tuesday bundle included urgent fixes for a pair of Windows kernel privilege escalation flaws that are now being linked to the Candiru operation.

According to Cristin Goodwin, General Manager in Microsoft’s Digital Security Unit, Candiru is in the business of manufacturing and selling “cyberweapons” to be used in precision attacks targeting consumer accounts.

“This is part of broader legal, technical and advocacy work we’re undertaking to address the dangers caused when [private sector offensive actors] build and sell weapons,” Goodwin said, warning that these companies “increase the risk that weapons fall into the wrong hands and threaten human rights.” 

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days 

Related: MS Patch Tuesday: NSA Reports New Critical Exchange Flaws

Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021

Related: Patch Tuesday: Microsoft Warns of Under-Attack Windows Kernel

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.