A set of unique spyware strains created by an Israeli firm & allegedly used by govts. around the world to watch dissidents has been defanged by Microsoft, the software company just revealed.
Candiru, aka Sourgum, allegedly sells the Devils Tongue surveillance malware to govts. worldwide.
The private company, called variously Candiru, Grindavik, Saito Tech & Taveta (& dubbed “Sourgum” by Microsoft), reportedly sells its wares just to govts., according to Citizen Lab, which 1st analysed the malware & flagged it for Microsoft.
Devils Tongue
The code, collectively known as “Devils Tongue,” has been used in highly targeted cyber-attacks against civil society, according to an advisory issued Thur. – making use of a pair of zero-day vulnerabilities in Windows (now patched).
The victims number more than 100, & include politicians, human-rights activists, journalists, academics, embassy workers & political dissidents, Citizen Lab & Microsoft observed. The targets have been global, located in Armenia, Iran, Israel, Lebanon, the Palestinian Authority & Gaza, Singapore, Spain, Turkey, the UK & Yemen.
Cyber-Weapons
“Sourgum generally sells cyber-weapons that enable its customers, often govt. agencies around the world, to hack into their targets’ computers, phones, network infrastructure & internet-connected devices,” according to Microsoft’s tandem advisory. “These agencies then choose who to target & run the actual operations themselves.”
Citizen Lab researchers said that Devils Tongue can take data & messages from various accounts, including Facebook, Gmail, Skype & Telegram. The spyware can also capture browsing history, cookies & passwords, turn on the target’s webcam and microphone, & take pictures of the screen.
“Capturing data from additional apps, such as Signal Private Messenger, is sold as an add-on,” according to the firm.
Stolen Cookies
Microsoft noted that the stolen cookies can later be used by the attacker to sign in as the victim to websites to enable further information gathering.
The code can infect & monitor Android phones, cloud accounts, iPhones, Macs & PCs, Citizen Lab researchers explained, noting that Devils Tongue’s command & control (C2) infrastructure involves more than 750 websites, including “domains masquerading as advocacy organisations such as Amnesty International, the Black Lives Matter movement as well as media companies.”
Millions of Euros
Devils Tongue as a kit goes for millions of Euros, according to a leaked proposal [PDF] obtained by Citizen Lab. It can be deployed in a number of attack vectors, including via malicious links, attached files in emails & man-in-the-middle attacks. The cost depends on the number of concurrent infections a user would like to maintain.
“The €16m project proposal allows for an unlimited number of spyware infection attempts, but the monitoring of only 10 devices simultaneously,” according to Citizen Lab.
“For an additional €1.5M, the customer can purchase the ability to monitor 15 additional devices simultaneously, & to infect devices in a single additional country. For an additional €5.5m, the customer can monitor 25 additional devices simultaneously, & conduct espionage in 5 more countries.”
Handful of Countries
It added, “For a further additional €1.5m fee, customers can purchase a remote-shell capability, which allows them full access to run any command or program on the target’s computer. This kind of capability is especially concerning, given that it could also be used to download files, such as planting incriminating materials, onto an infected device.”
Use of Devils Tongue is restricted in a handful of countries, including China, Iran, Israel, Russia & the U.S. However, there are, apparently, loopholes.
“Microsoft observed Candiru victims in Iran, suggesting that in some situations, products from Candiru do operate in restricted territories,” Citizen Lab researchers stated. “In addition, targeting infrastructure disclosed in this report includes domains masquerading as the Russian postal service.”
Zero-Day Exploits
The spyware exploits 2 elevation-of-privilege security vulnerabilities in Windows, CVE-2021-31979 & CVE-2021-33771, both of which were addressed in Microsoft’s July Patch Tues. update this week.
The attacks are carried out via “a chain of exploits that impacted popular browsers & our Windows operating system,” Microsoft noted.
Both bugs give an attacker the ability to escape browser sandboxes & gain kernel code execution, Microsoft outlined:
The Bugs
- CVE-2021-31979: An integer overflow within Windows NT-based operating system (NTOS). “This overflow results in an incorrect buffer size being calculated, which is then used to allocate a buffer in the kernel pool,” according to Microsoft. “A buffer overflow subsequently occurs while copying memory to the smaller-than-expected destination buffer.
This vulnerability can be used to corrupt an object in an adjacent memory allocation. Using APIs from user mode, the kernel pool memory layout can be groomed with controlled allocations, resulting in an object being placed in the adjacent memory location.
Once corrupted by the buffer overflow, this object can be turned into a user mode to kernel mode read/write primitive. With these primitives in place, an attacker can then elevate their privileges.”
- CVE-2021-33771: A race condition within NTOS resulting in the use-after-free of a kernel object. “By using multiple racing threads, the kernel object can be freed, and the freed memory reclaimed by a controllable object,” explained Microsoft.
Pool Memory
“Like the previous vulnerability, the kernel pool memory can be sprayed with allocations using user mode APIs with the hopes of landing an object allocation within the recently freed memory. If successful, the controllable object can be used to form a user mode to kernel mode read/write primitive & elevate privileges.”
To mitigate attacks, Microsoft said that it “built protections into our products against the unique malware Sourgum created,” in addition to the patching.
“These attacks have largely targeted consumer accounts, indicating Sourgum’s customers were pursuing particular individuals,” according to Microsoft.
Already Infected
“The protections we issued this week will prevent Sourgum’s tools from working on computers that are already infected & prevent new infections on updated computers & those running Microsoft Defender Antivirus as well as those using Microsoft Defender for Endpoint.”
Private brokers of cyber-attack kits for govt. surveillance have been publicised mainly thanks to another Israeli firm, NSO Group, which created the Pegasus spyware that enables customers to remotely exploit & monitor mobile devices.
Tool for Govts
NSO Group has long maintained that its kit is meant to be a tool for govts. to use in fighting crime & terror, & that it is not complicit in any govt’s misuse of it.
However, critics say that repressive governments use it for more nefarious purposes to track dissidents, journalists & other members of civil society, & that NSO Group assists them. In Dec., Pegasus added an exploit for a zero-day in Apple’s iMessage feature for iPhone.
