0-days sold by Austrian firm used to hack Windows users, Microsoft says
Published: July 28, 2022
Windows and Adobe Reader exploits said to target orgs in Europe and Central America.
Microsoft said on Wednesday that an Austria-based company named DSIRF used multiple Windows and Adobe Reader zero-days to hack organizations located in Europe and Central America.
Multiple news outlets have published articles like this one, which cited marketing materials and other evidence linking DSIRF to Subzero, a malicious toolset for "automated exfiltration of sensitive/private data" and "tailored access operations [including] identification, tracking and infiltration of threats."
Members of the Microsoft Threat Intelligence Center, or MSTIC, said they have found Subzero malware infections spread through a variety of methods, including the exploitation of what at the time were Windows and Adobe Reader zero-days, meaning the attackers knew of the vulnerabilities before Microsoft and Adobe did. Targets of the attacks observed to date include law firms, banks, and strategic consultancies in countries such as Austria, the UK, and Panama, although those aren’t necessarily the countries in which the DSIRF customers who paid for the attack resided.
"MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks," Microsoft researchers wrote. "These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open source news reports attributing Subzero to DSIRF."
Wednesday’s post is the latest to take aim at the scourge of mercenary spyware sold by private companies. Israel-based NSO Group is the best-known example of a for-profit company selling pricey exploits that often compromise the devices belonging to journalists, attorneys, and activists. Another Israel-based mercenary named Candiru was profiled by Microsoft and University of Toronto’s Citizen Lab last year and was recently caught orchestrating phishing campaigns on behalf of customers that could bypass two-factor authentication.
Also on Wednesday, the US House of Representatives Permanent Select Committee on Intelligence held a hearing on the proliferation of foreign commercial spyware. One of the speakers was the daughter of a former hotel manager in Rwanda who was imprisoned after saving hundreds of lives and speaking out about the genocide that had taken place. She recounted the experience of having her phone hacked with NSO spyware the same day she met with the Belgian foreign affairs minister.
Wednesday’s post also provides detailed indicators of compromise that readers can use to determine if they have been targeted by DSIRF.
Microsoft used the term PSOA, short for private-sector offensive actor, to describe cyber mercenaries like DSIRF. The company said most PSOAs operate under one or both of two models. The first, access-as-a-service, sells full end-to-end hacking tools to customers for use in their own operations. In the other model, hack-for-hire, the PSOA carries out the targeted operations itself.
"Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement," Microsoft researchers wrote.
Source: Re-posted and Summarized from DAN GOODIN at arstechnica.
My Take: These hackers cause a lot of grief. Somebody should do something about them.