Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

A secretive Israeli commercial surveillance company named after a parasitic freshwater fish is being blamed for supplying Windows and Chrome zero-day exploits to nation-state APT actors.

A secretive Israeli commercial surveillance company named after a parasitic freshwater fish is being blamed for supplying Windows and Chrome zero-day exploits to nation-state APT actors.

According to separate reports released simultaneously by Microsoft and Citizen Lab, the Tel Aviv-based Candiru has been caught supplying high-end spyware capable of hijacking data from Windows PCs, Macs, iPhones and Android devices.

The two reports come less than 24 hours after Google’s Threat Analysis Group (TAG) documented four separate zero-day exploits in Chrome, Internet Explorer, and Webkit (Safari) that were created and sold by Candiru to government-backed attackers.

Exploit code from the mysterious Candiru was first observed in .gov hacking operations in Uzbekistan back in 2019 but the company has stayed under the radar while supplying its commercial hacking packages to compromise targets ranging from journalists, politicians, activists and dissidents.

The Citizen Lab report, titled Hooking Candiru, documents how the research outfit scanned the internet and found more than 750 websites linked to Candiru’s spyware infrastructure.  

[ Related: Microsoft Patches 3 Under-Attack Windows Zero-Days ]

Citizen Lab described Candiru as a “mercenary spyware firm” marketing untraceable surveillance software tools to government customers.  The Citizen Lab research team found that Candiru underwent multiple name changes over the years as part of attempts to mask its operations, infrastructure and staff identities.

The company’s exploits have been linked to nation-state malware attacks observed in Uzbekistan, Saudi Arabia and the United Arab Emirates (UAE), Singapore and Qatar.

Advertisement. Scroll to continue reading.

Citizen Lab provided technical proof of the Candiru Windows spyware capabilities, including the ability to exfiltrate files from the popular encrypted messaging app Signal, and features to steal cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers.

Microsoft’s Threat Intelligence Center (MSTIC) released its own report on Candiru, aka SOURGUM, describing the company as a “private-sector offensive” actor in the business of hawking and using Windows zero-day exploits.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices,” Microsoft said, warning that these mercenary operations “only adds to the complexity, scale, and sophistication of attacks.” 

[ Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021 ]

The Redmond, Wash. software giant confirmed it partnered with Citizen Lab on a project to disable a malware attack by Candiru that targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents.

Microsoft named the malware DevilsTongue and said victims were scattered around the Palestinian Authority, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore.

Redmond’s threat hunters found Candiru using a chain of browser and Windows exploits to plant malware on targeted victims.  The browser exploits were distributed via single-use URLs sent via WhatsApp messages.

From Microsoft’s report:

“During the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771, both of which have been fixed in the July 2021 security updates. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution. If customers have taken the July 2021 security update, they are protected from these exploits.”

Earlier this week, Microsoft’s Patch Tuesday bundle included urgent fixes for a pair of Windows kernel privilege escalation flaws that are now being linked to the Candiru operation.

According to Cristin Goodwin, General Manager in Microsoft’s Digital Security Unit, Candiru is in the business of manufacturing and selling “cyberweapons” to be used in precision attacks targeting consumer accounts.

“This is part of broader legal, technical and advocacy work we’re undertaking to address the dangers caused when [private sector offensive actors] build and sell weapons,” Goodwin said, warning that these companies “increase the risk that weapons fall into the wrong hands and threaten human rights.” 

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days 

Related: MS Patch Tuesday: NSA Reports New Critical Exchange Flaws

Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021

Related: Patch Tuesday: Microsoft Warns of Under-Attack Windows Kernel

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Raj Dodhiawala has been named Chief Product Officer at Eclypsium.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.