Israel-Based Company Assisting Government to Target Journalists, Activists Globally

Candiru, an Israel-based company, exploited two zero-day Windows vulnerabilities in a series of what is being called “precision attacks,” thereby affecting more than a hundred activists, journalists, and political nonconformists worldwide.

According to a report, Candiru is a secretive spyware company located in Tel Aviv involved in selling “untraceable” spyware to governments. Google’s Threat Analysis Group (TAG) also identified the Israelbased company involved in exploiting zero-day flaws in Chrome browser.

“Using Internet scanning we identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities,” the report said.

An espionage toolkit dubbed DevilsTongue capable of weaponizing flaws in a range of devices was developed by private-sector offensive actor (also called “Sourgum” by Microsoft) which is also exclusively sold to government customers.

DevilsTongue is a modular C/C++ backdoor that facilitated the attackers to maintain a foothold in a victim’s device and also helped in exfiltration of files, stealing cookies and passwords from multiple browsers including Chrome and Safari.

Upon further investigation, Microsoft also found that the espionage toolkit could leverage the stolen cookies from logged-in social media accounts to access and send messages, view photos and collect other private information of the victim.

The researchers discovered two previously undiscovered zero-day vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771 when they obtained a hard drive from a victim in Western Europe containing a copy of Candiru’s Windows spyware. The spyware made use of both browser and Windows exploits with the latter allowing a malicious actor to gain enhanced privileges, subsequently assisting in kernel code execution and the former being realized through single-use URLs sent to victims through messaging applications. The Windows exploits were addressed by Microsoft on July 13.

“As part of their investigation, Microsoft observed at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians,” the report said.

TAG researchers identified the commercial selling of access to zero-days as a possible reason to the exponential rise in zero-day flaws being exploited. The selling of spyware to government customers to be used against civilians is an invitation to chaos. “Candiru’s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse. This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services,” said Citizen Lab in their report.