A Canadian university digital security rights group has helped Microsoft identify and patch two Windows vulnerabilities it says were used by an Israeli-based software company that sells spyware to governments.
The University of Toronto’s Citizen Lab said this week the privilege escalation vulnerabilities were exploited by Saito Tech Ltd., more commonly known as Candiru. Microsoft patched both vulnerabilities as part of its July Patch Tuesday releases.
With the help of a U.S. based threat intelligence company called Team Cymru and others, Citizen Lab said found “a politically active victim” in Western Europe and recovered a copy of Candiru’s Windows application. Working with Microsoft’s Threat Intelligence Center (MSTIC) researchers discovered the CVE-2021-31979 and CVE-2021-33771 vulnerabilities.
In its account of the work, Microsoft dubs the company ‘Sourgum.’ Its research shows the malware — which Microsoft calls ‘DevilsTongue’ — allegedly sold by the firm targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents. Approximately half of the victims were found in the territory of the Palestinian Authority, with most of the remaining victims located in Israel, Iran, Lebanon, Yemen, Spain (specifically Catalonia), the United Kingdom, Turkey, Armenia, and Singapore.
Citizen Lab said that by scanning the internet it identified more than 750 websites linked to infrastructure supporting the spyware. It found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.
The attacker appears to use a chain of browser and Windows exploits, Microsoft said, including 0-days, to install the DevilsTongue malware on victim boxes. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp.
DevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with what Microsoft says are several novel capabilities. Briefly, it can collect files, query the Windows registry, run WMI commands and query SQLite databases. It’s capable of stealing victim credentials from both Windows’ LSASS (Local Security Authority Subsystem Service) and from browsers. It also has dedicated functionality to decrypt and exfiltrate conversations from victim computers through the Signal messaging app.
This is the latest in a number of investigations by Citizen Lab into what it calls spyware or questionable applications sold to governments for surveillance of citizens. Two years ago its researchers were targets of suspicious people.
The apparent widespread use of Candiru’s infrastructure and the use of its surveillance technology against global civil society, “is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” says the Citizen Lab report.
“This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services. Many governments that are eager to acquire sophisticated surveillance technologies lack robust safeguards over their domestic and foreign security agencies. Many are characterized by poor human rights track records. It is not surprising that, in the absence of strong legal restraints, these types of government clients will misuse spyware services to track journalists, political opposition, human rights defenders, and other members of global civil society.”