Israel-based Candiru, a hacking tool vendor, has created and sold a software exploit that can penetrate Microsoft Windows, Microsoft said in a report.
Technical analysis by security researchers details how the Candiru hacking tool spread worldwide to numerous anonymous clients, where it was then used to target various civil society organizations, including a Saudi dissident group and a left-wing Indonesian media, the Citizen Lab reports and Microsoft show.
Evidence of the exploit recovered by Microsoft suggests that it has been deployed against users in several countries, including Iran, Lebanon, Spain and the United Kingdom, according to the Citizen Lab report.
Candiru is an Israel-based secret company that sells spyware exclusively to governments. Apparently, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts.
Through web scanning, we have identified more than 750 websites linked to Candiru’s spyware infrastructure. Citizen Lab found numerous domains impersonating advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies and other civil society thematic entities.
Citizen Lab identified a politically active victim in Western Europe and recovered a copy of Windows spyware from Candiru.
In collaboration with Microsoft Threat Intelligence Center (MSTIC), we analyzed the spyware, which led to the discovery CVE-2021-31979 and CVE-2021-33771 by Microsoft, two elevation of privilege vulnerabilities exploited by Candiru. Microsoft patched both vulnerabilities on July 13, 2021.
As part of the investigation, Microsoft observed at least 100 casualties in Palestine, Israel, Iran, Lebanon, Yemen, Spain, UK, Turkey, Armenia and Singapore. Victims include human rights defenders, dissidents, journalists, activists and politicians.
Microsoft fixed the flaws discovered on Tuesday via a software update. Microsoft did not directly attribute the exploits to Candiru, instead labeling him an Israeli-based private sector offensive player codenamed Sourgum.
“Sourgum sells cyber weapons that allow its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and internet-connected devices,” Microsoft wrote in an article. of blogging. “These agencies then choose who to target and handle the actual operations themselves.”
Candiru’s tools also exploited weaknesses in other common software products, such as Google’s Chrome browser.
On Wednesday, Google published a blog post in which it disclosed two flaws in Chrome software that Citizen Lab found linked to Candiru. Google did not refer to Candiru by name, but described it as a commercial surveillance company. Google patched both vulnerabilities earlier this year.
Cyber arms dealers like Candiru often string together multiple software vulnerabilities to create effective exploits that can reliably intrude into remote computers without the target’s knowledge, according to cyber security experts.
These types of covert systems cost millions of dollars and are often sold by subscription, requiring customers to repeatedly pay a vendor for continued access, people familiar with the cyberweapons industry told Reuters.
Comments are closed.