Israel-based Candiru, a hacking tool vendor, created and sold a software exploit that can penetrate Microsoft Windows, Microsoft said in a report.
Technical analysis by security researchers details how Candiru’s hacking tool spread around the globe to numerous unnamed customers, where it was then used to target various civil society organizations, including a Saudi dissident group and a left-leaning Indonesian news outlet, the reports by Citizen Lab and Microsoft show.
Evidence of the exploit recovered by Microsoft suggested it was deployed against users in several countries, including Iran, Lebanon, Spain and the United Kingdom, according to the Citizen Lab report.
Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Reportedly, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts.
Using Internet scanning we identified more than 750 websites linked to Candiru’s spyware infrastructure. Citizen Lab found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.
Citizen Lab identified a politically active victim in Western Europe and recovered a copy of Candiru’s Windows spyware.
Working with Microsoft Threat Intelligence Center (MSTIC) we analyzed the spyware, resulting in the discovery of CVE-2021-31979 and CVE-2021-33771 by Microsoft, two privilege escalation vulnerabilities exploited by Candiru. Microsoft patched both vulnerabilities on July 13th, 2021.
As part of investigation, Microsoft observed at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians.
Microsoft fixed the discovered flaws on Tuesday through a software update. Microsoft did not directly attribute the exploits to Candiru, instead referring to it as an Israel-based private sector offensive actor under the codename Sourgum.
“Sourgum sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and internet-connected devices,” Microsoft wrote in a blog post. “These agencies then choose who to target and run the actual operations themselves.”
Candiru’s tools also exploited weaknesses in other common software products, like Google’s Chrome browser.
On Wednesday, Google released a blog post where it disclosed two Chrome software flaws that Citizen Lab found connected to Candiru. Google did not refer to Candiru by name, but described it as a commercial surveillance company. Google patched the two vulnerabilities earlier this year.
Cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits that can reliably break into computers remotely without a target’s knowledge, computer security experts say.
Those types of covert systems cost millions of dollars and are often sold on a subscription basis, making it necessary for customers to repeatedly pay a provider for continued access, people familiar with the cyber arms industry told Reuters.