Microsoft has revealed that a string of recent security patches were designed to stop two zero-day exploits being sold as part of an espionage kit to authoritarian governments and spy agencies worldwide.
The espionage kit, allegedly sold by Israeli security outfit Candiru, has been used to target politicians, journalists, human rights workers, academics, dissidents, and more, with at least 100 victims. While 100 is a comparatively low figure to other major security breaches or attacks, the espionage kit is a highly advanced tool used to target individuals.
As such, the victims of this kit and the zero-day exploits are likely high-profile individuals with valuable information on potentially seismic topics.
Microsoft Works With Citizen Lab to Takedown Exploits
The official Microsoft Security blog confirms the discovery of a "private-sector offensive actor" in possession of two Windows zero-day exploits (CVE-2021-31979 and CVE-2021-33771).
Microsoft dubbed the threat actor SOURGUM, noting that the Microsoft Security team believes it is an Israeli private sector company selling cybersecurity tools to government agencies worldwide. Working with Citizen Lab, the University of Toronto's network surveillance and humans rights laboratory, Microsoft believes the malware and exploit kit used by SOURGUM has "targeted more than 100 victims around the world."
Citizen Lab's report into the exploits explicitly names Candiru, "a secretive Israel-based company that sells spyware exclusively to governments." The spyware developed by Candiru "can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts."
The Microsoft Security team observed victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore, with many victims operating in sensitive areas, roles, or organizations. Reported Candiru clients include Uzbekistan, Saudi Arabia & the UAE, Singapore, and Qatar, with other reported sales in Europe, former Soviet Union nations, the Persian Gulf, Asia, and Latin America.
Security Patches Eliminate Zero-Day Exploits
A zero-day exploit is a previously unreleased security vulnerability an attacker uses to breach a site, service, or otherwise. As the security and tech companies are unaware of its existence, it remains unpatched and vulnerable.
In this case, the Israeli company allegedly behind the development of the espionage kit used two zero-day exploits to gain access to previously secure products, built into a unique malware variant dubbed DevilsTongue.
While attacks of this nature are worrying, they're often highly targeted operations that don't typically affect regular users. Furthermore, Microsoft has now patched the zero-day exploits used by the DevilsTongue malware, rendering this particular variant useless. The patches were issued in the July 2021 Patch Tuesday, which was pushed live on July 6.