Canadian group helps Microsoft identify vulnerabilities used in spyware | #microsoft | #hacking | #cybersecurity

Article content

A Canadian university digital security rights group has helped Microsoft identify and patch two Windows vulnerabilities it says were used by an Israeli-based software company that sells spyware to governments.


Article content

The University of Toronto’s Citizen Lab said this week the privilege escalation vulnerabilities were exploited by Saito Tech Ltd., more commonly known as Candiru. Microsoft patched both vulnerabilities as part of its July Patch Tuesday releases.

With the help of a U.S. based threat intelligence company called Team Cymru and others, Citizen Lab said found “a politically active victim” in Western Europe and recovered a copy of Candiru’s Windows application. Working with Microsoft’s Threat Intelligence Center (MSTIC) researchers discovered the CVE-2021-31979 and CVE-2021-33771 vulnerabilities.

In its account of the work, Microsoft dubs the company ‘Sourgum.’  Its research shows the malware — which Microsoft calls ‘DevilsTongue’ — allegedly sold by the firm targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents. Approximately half of the victims were found in the territory of the Palestinian Authority, with most of the remaining victims located in Israel, Iran, Lebanon, Yemen, Spain (specifically Catalonia), the United Kingdom, Turkey, Armenia, and Singapore.

Citizen Lab said that by scanning the internet it identified more than 750 websites linked to infrastructure supporting the spyware. It found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.


Article content

The attacker appears to use a chain of browser and Windows exploits, Microsoft said, including 0-days, to install the DevilsTongue malware on victim boxes. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp.

DevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with what Microsoft says are several novel capabilities. Briefly, it can collect files, query the Windows registry, run WMI commands and query SQLite databases. It’s capable of stealing victim credentials from both Windows’ LSASS (Local Security Authority Subsystem Service) and from browsers. It also has dedicated functionality to decrypt and exfiltrate conversations from victim computers through the Signal messaging app.

It also seems able to use cookies directly from the victim’s computer on websites such as Facebook, Twitter, Gmail, Yahoo,, Odnoklassniki, and Vkontakte to collect information, read the victim’s messages, and retrieve photos, Microsoft said. DevilsTongue can also send messages as the victim on some of these websites, appearing to any recipient that the victim had sent these messages. The capability to send messages could be weaponized to send malicious links to more victims.

This is the latest in a number of investigations by Citizen Lab into what it calls spyware or questionable applications sold to governments for surveillance of citizens. Two years ago its researchers were targets of suspicious people.


Article content

The apparent widespread use of Candiru’s infrastructure and the use of its surveillance technology against global civil society, “is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” says the Citizen Lab report.

“This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services. Many governments that are eager to acquire sophisticated surveillance technologies lack robust safeguards over their domestic and foreign security agencies. Many are characterized by poor human rights track records. It is not surprising that, in the absence of strong legal restraints, these types of government clients will misuse spyware services to track journalists, political opposition, human rights defenders, and other members of global civil society.”

The post Canadian group helps Microsoft identify vulnerabilities used in spyware first appeared on IT World Canada.

This section is powered by IT World Canada. ITWC covers the enterprise IT spectrum, providing news and information for IT professionals aiming to succeed in the Canadian market.



    Postmedia is committed to maintaining a lively but civil forum for discussion and encourage all readers to share their views on our articles. Comments may take up to an hour for moderation before appearing on the site. We ask you to keep your comments relevant and respectful. We have enabled email notifications—you will now receive an email if you receive a reply to your comment, there is an update to a comment thread you follow or if a user you follow comments. Visit our Community Guidelines for more information and details on how to adjust your email settings.

    Original Source link

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    + 70 = seventy four