Microsoft, Google, Citizen Lab blow lid off zero-day bug-exploiting spyware sold to governments

Analysis Software patches from Microsoft this week closed two vulnerabilities exploited by spyware said to have been sold to governments by Israeli developer Candiru.

On Thursday, Citizen Lab released a report fingering Candiru as the maker of the espionage toolkit, an outfit Microsoft code-named Sourgum. It is understood the spyware, code-named DevilsTongue by Microsoft, exploited at least a pair of zero-day holes in Windows to infect particular targets' machines.

Redmond said at least 100 people – from politicians, human rights activists, and journalists, to academics, embassy workers and political dissidents – have had their systems infiltrated by Sourgum's code; about half are in Palestine, and the rest dotted around Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore.

Once it has comprehensively compromised a Windows PC, DevilsTongue can exfiltrate the victim's files, obtain their login credentials for online and network accounts, snoop on chat messages, and more. Candiru also touts spyware that can infect and monitor iPhones, Android devices, and Macs, as well as Windows PCs, it is claimed. The products are said to be on sale to government agencies and other organizations, which then use the espionage software against their chosen targets.

"Candiru’s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab, part of the University of Toronto, said in its report.

"This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services."

We're told that at least 764 domain names were found that were likely used in some way to push Candiru's malware to victims: websites using these domains typically masqueraded as legit sites belonging to Amnesty International and refugee organizations, the United Nations, government websites, news outlets, and Black Lives Matter communities. The idea being, it seems, to lure visitors to webpages that exploited browser, Microsoft Office, and Windows bugs to not only infect PCs with DevilsTongue but also grant the spyware admin-level access.

How's that patching going?

Microsoft was able to fix the operating system flaws exploited by Candiru's software in this month's Patch Tuesday after Citizen Lab obtained a hard drive from "a politically active victim in Western Europe," it said. Redmond reverse-engineered the spyware to figure out the infection process.

The Windows goliath saw that two privilege-escalation vulnerabilities, CVE-2021-31979 and CVE-2021-33771, were being exploited, and patched them this week.

"The weapons disabled were being used in precision attacks targeting more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers and political dissidents," said Cristin Goodwin, GM at Microsoft's Digital Security Unit.

• What follows Patch Tuesday? Exploit Wednesday. Grab this bumper batch of security updates from Microsoft
• So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into
• Microsoft patches PrintNightmare – even on Windows 7 – but the terror isn't over
• Samsung commits to 5 years of Android updates... for its enterprise smartphone users at least

In Redmond's technical rundown of the spyware, it said the DevilsTongue malware would gain a foothold on a system by exploiting flaws in, for example, the user's browser when they visited a booby-trapped site, and then use the aforementioned elevation-of-privilege holes to get into the kernel and gain total control of the box.

The software nasty, once on a Windows PC, is capable of gathering all session cookies and passwords from browsers, and can take control of social media accounts and third-party apps. It sported several novel features designed to avoid detection, leading Microsoft to conclude that the "developers are very professional, have extensive experience writing Windows malware, and have a good understanding of operational security."

Chocolate Factory comes in, warns it's not over

Google, meanwhile, this week detailed a bunch of bugs it detected being exploited by malicious webpages and documents to gain code execution on netizens' machines.

It would appear DevilsTongue exploited CVE-2021-21166 and CVE-2021-30551 in Chrome, and CVE-2021-33742 in Internet Explorer's MSHTML scripting engine – used by Microsoft Office, for instance – and chained them with the above Windows bugs to install itself on the victim's PC and gain admin-level access to data and applications. All a victim would need to do is surf to a booby-trapped page in Chrome, or open a maliciously crafted document in Office.

Those flaws have been patched by now. "Based on our analysis, we assess that the Chrome and Internet Explorer exploits ... were developed and sold by the same vendor providing surveillance capabilities to customers around the world," Googlers Maddie Stone and Clement Lecigne noted, adding: "Citizen Lab published a report tying the activity to spyware vendor Candiru."

Google also documented an unrelated remote-code execution flaw in Safari's Webkit engine for good measure.

We're told the Chrome flaws were spotted being exploited to commandeer Windows computers in Armenia. Marks would be lured to websites that analyzed their screen resolution, timezone, supported languages, browser plugins, and available MIME types to decide whether or not to compromise their browser.

"This information was collected by the attackers to decide whether or not an exploit should be delivered to the target," said Google's Threat Analysis Group (TAG). "Using appropriate configurations, we were able to recover two zero-day exploits."

Further probing revealed that Armenian Windows users were being targeted via the aforementioned Internet Explorer flaw. This would be triggered by opening a Office document that contained either a malicious ActiveX object or VBA macro. Microsoft fixed that issue last month.

Make it rain

Candiru has been in operation since 2014 and reminds us of another Israeli surveillanceware outfit: NSO Group. It's a lucrative business, judging by a contract obtained by Citizen Lab.

The deal, valued at €16.85m ($20m), offers unlimited malware injection attempts but only the ability to surveil ten devices in one country directly. An extra €1.5m ($1.8m) gets access to another 15 devices, and for €5.5m ($6.5m) buyers can snoop on 25 handsets in up to five countries.

There are also paid-for optional extras to access specific accounts. If you want a target's Signal messages, that'll cost another €500,000 ($590,000). Candiru also offers access to a victim's Twitter, Viber, and WeChat for around half that amount. Training for four admins and eight operators is included in the price.

Citizen Lab said Candiru appears to have changed its name five times in the past seven years, and maintains a very low profile. An ex-employee suing the company for lost commission claimed that it had $30m in revenue in 2017, and business is good thanks to the organization's export license.

"Israel’s Ministry of Defense — from whom Israeli-based companies like Candiru must receive an export license before selling abroad — has so far proven itself unwilling to subject surveillance companies to the type of rigorous scrutiny that would be required to prevent abuses of the sort we and other organizations have identified," Citizen Lab said.

"The export licensing process in that country is almost entirely opaque, lacking even the most basic measures of public accountability or transparency."

• Israeli spyware maker NSO channels Hollywood spy thrillers in appeal for legal immunity in WhatsApp battle
• Fancy buying a compact and bijou cardboard box home in a San Francisco alley? This $2.5m Android bounty will get you nearly there
• Ahem, Amazon, Google, Microsoft... Selling face-snooping tech to the Feds is bad, mmm'kay?
• FBI's iPhone paid-for hack should be barred, say ex-govt officials

One wonders how this spyware would fly in America. Facebook is suing the NSO Group, accusing it of unlawfully compromising users' phones to snoop on them via a security hole in WhatsApp.

NSO's lawyers have used a variety of legal arguments, saying that it only licenses its software to governments for criminal or anti-terrorist work and so has sovereign immunity, that it has no presence in the US market, and claiming Facebook itself tried to buy the company's Pegasus snoopware but was turned down. At one stage NSO didn't even bother to turn up in court.

The case is ongoing. US Senator Ron Wyden (D-OR) has called for an investigation into NSO products being touted to law enforcement. ®