Microsoft has revealed that a string of recent security patches were designed to stop two zero-day exploits being sold as part of an espionage kit to authoritarian governments and spy agencies worldwide.
The espionage kit, allegedly sold by Israeli security outfit Candiru, has been used to target politicians, journalists, human rights workers, academics, dissidents, and more, with at least 100 victims. While 100 is a comparatively low figure to other major security breaches or attacks, the espionage kit is a highly advanced tool used to target individuals.
The official Microsoft Security blog confirms the discovery of a “private-sector offensive actor” in possession of two Windows zero-day exploits (CVE-2021-31979 and CVE-2021-33771).
Microsoft dubbed the threat actor SOURGUM, noting that the Microsoft Security team believes it is an Israeli private sector company selling cybersecurity tools to government agencies worldwide. Working with Citizen Lab, the University of Toronto’s network surveillance and humans rights laboratory, Microsoft believes the malware and exploit kit used by SOURGUM has “targeted more than 100 victims around the world.”
The Microsoft Security team observed victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore, with many victims operating in sensitive areas, roles, or organizations. Reported Candiru clients include Uzbekistan, Saudi Arabia & the UAE, Singapore, and Qatar, with other reported sales in Europe, former Soviet Union nations, the Persian Gulf, Asia, and Latin America.
In this case, the Israeli company allegedly behind the development of the espionage kit used two zero-day exploits to gain access to previously secure products, built into a unique malware variant dubbed DevilsTongue.
The patches were issued in the July 2021 Patch Tuesday, which was pushed live on July 6.