Microsoft Closes Windows Vulnerabilities Used For State Spyware

Microsoft has discovered malware that it calls DevilsTongue with the help of Citizen Lab. According to Microsoft, it concerns spyware from the Israeli company Sourgum, which exploited Windows leaks and was used by governments, among others.

Microsoft was notified of the malware by Citizen Lab. Microsoft’s Threat Intelligence Center and the Microsoft Security Response Center analyzed the malware and found that it exploits, among other things, two Windows vulnerabilities to run code with elevated privileges on vulnerable systems. These are vulnerabilities CVE-2021-31979 and CVE-2021-33771 , which Microsoft fixed in its patch round this week.

Microsoft found in its investigation that DevilsTongue was used against at least 100 targets, including civil rights activists, journalists and dissidents. According to the company, the attacks were targeted attacks against individuals, with the malware using a chain of exploits that allowed it to escape browser sandboxes and execute code on systems. The targets came from Israel, Palestine, Iran, Lebanon, Spain, the UK and Turkey, among others.

Microsoft traces the malware to Sourgum, a so-called private sector offensive actor that supplies spyware to governments, among others, to be able to penetrate the systems of targets. Microsoft describes in its analysis of DevilsTongue that it concerns cyber weapons and the developers of the company are professional and have good knowledge of Windows and security.

Citizen Lab writes that it is the Israeli company Candiru, but that the company uses different names to stay under the radar. For example, it would now use the name Saito Tech Ltd. The company is said to have customers worldwide and, among other things, use an infrastructure of 750 websites to distribute spyware. Many domains of these would masquerade as social domains such as those of Amnesty International and the Black Lives Matter movement, Citizen Lab said.