Israeli Spyware Vendor Linked With Microsoft Windows Zero-Day Exploits

  • An Israeli spyware firm named ‘Candiru’ was linked with the exploitation of recently patched zero-days.
  • The company has made an OpSec mistake which allowed researchers to link its spyware with its infrastructure.
  • The latest government campaigns targeted at least 100 victims in several countries.

Researchers at the CitizenLab and the Microsoft Threat Intelligence Center have discovered the spyware (“DevilsTongue”) of a previously obscure vendor based in Tel Aviv, in Israel, operating under the name ‘Candiru.’ Reportedly, the vendor was using spyware that exploited two (CVE-2021-31979 and CVE-2021-33771) of the four zero-days that Microsoft fixed with the latest Tuesday patch.

Moreover, the investigators confirmed that there are over 750 websites that support the particular spyware, and there are at least a hundred victims located in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore.

The malware that Candiru promotes only on a government level is presented as “untraceable” and can infect iOS, Android, macOS, and Windows. Even cloud accounts can be compromised and monitored by the spyware, allegedly without raising any alarms no matter what service is used. Microsoft has posted a complete technical analysis of “DevilsTongue,” so if you’re interested in diving deeper, check out this page.

As a company, Candiru makes a sincere effort to not draw the attention of the public. Having been established in 2014, the company registered four more corporate names in the years that followed and also spun a subsidiary. According to a lawsuit of a former employee spotted by CitizenLab, Candiru has sold $30 million worth of spyware licenses between 2014 and 2016 alone, with clients reportedly based in Europe, Russia, the Persian Gulf, Asia, and Latin America.

Candiru Office, Source: CitizenLab

This sounds like the typical spyware firm that sells its tools to oppressive regimes around the globe without considering the ethical aspect of its business. Starting from 2019, Candiru was fully uncovered as a seller of cyberweapons, and various media stories linked them with the government of Uzbekistan, Saudi Arabia, the United Arab Emirates, Singapore, and Qatar.

However, Candiru has a list of restricted territories for deploying its products, including the United States, Russia, China, Israel, and Iran. This is exactly the same restriction list used by the NSO Group. As Microsoft’s investigation confirmed, though, Iran was still targeted in recent campaigns nonetheless.

Through a leaked confidential project proposal, we learn that Candiru sells its main product for €16 million, and then adding on top of that for the simultaneous monitoring of multiple devices, conduct espionage operations in more countries, etc.

Source: TheMarker

The linking between the spyware caught in the wild and Candiru was a case of OpSec failure, as CitizenLab was able to find an email address from a self-signed TLS certificate that belongs to Candiru’s main domain. From there, more matches were made as more IP addresses and certificates were correlated, leading to SQL queries and the final mapping of the firm’s infrastructure.

Many websites sitting on this infrastructure masquerade as international media portals, advocacy organizations like ‘Black Lives Matter’ or Amnesty International, tech giants like Microsoft, Google, and Apple, social media platforms such as Facebook and Twitter, international organizations like the United Nations, and Wikipedia. This pluralism is nothing else than a pool of entrapment possibilities for activists, journalists, politicians, human rights defenders, and freedom of speech advocates.

REVIEW OVERVIEW

Latest

Why Are My Apps Not Downloading on My New iPhone 13? 

By default, your apps should download automatically once you set up your iPhone 13. However, in some instances, the iOS App Store might have a...

How to Remove SIM Card From iPhone 13 Without Ejector Tool 

Before you start setting up your iPhone 13, you need to insert your SIM card. That way, your iPhone can register and activate, letting...

How to Use Macro Mode on iPhone 13 Pro and Pro Max

Checking the official iPhone 13 camera specs reveals something interesting about the Pro and Pro Max models. Their cameras have larger sensors, capable of...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari