Headline
Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits
A cyber mercenary that “ostensibly sells general security and information analysis services to commercial customers” used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities. The company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called DSIRF that’s linked to the
A cyber mercenary that “ostensibly sells general security and information analysis services to commercial customers” used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities.
The company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called DSIRF that’s linked to the development and attempted sale of a piece of cyberweapon referred to as Subzero, which can be used to hack targets’ phones, computers, and internet-connected devices.
“Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama,” the tech giant’s cybersecurity teams said in a Wednesday report.
Microsoft is tracking the actor under the moniker KNOTWEED, continuing its trend of naming PSOAs using names given to trees and shrubs. The company previously designated the name SOURGUM to Israeli spyware vendor Candiru.
KNOTWEED is known to dabble in both access-as-a-service and hack-for-hire operations, offering its toolset to third parties as well as directly associating itself in certain attacks.
While the former entails the sales of end-to-end hacking tools that can be used by the purchaser in their own operations without the involvement of the actor, hack-for-hire groups run the targeted operations on behalf of their clients.
The deployment of Subzero is said to occur through the exploitation of multiple issues, including an exploit chain that leverages an Adobe Reader remote code execution (RCE) flaw and a zero-day privilege escalation bug (CVE-2022-22047), the latter of which was addressed by Microsoft as part of its July Patch Tuesday updates.
“CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes and achieve system-level code execution,” Microsoft explained.
Similar attack chains observed in 2021 leveraged a combination of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) in conjunction with an Adobe reader flaw (CVE-2021-28550). The three vulnerabilities were resolved in June 2021.
The deployment of Subzero subsequently occurred through a fourth exploit, this time taking advantage of a privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948), which was closed by Microsoft in August 2021.
Beyond these exploit chains, Excel files masquerading as real estate documents have been used as a conduit to deliver the malware, with the files containing Excel 4.0 macros designed to kick-start the infection process.
Regardless of the method employed, the intrusions culminate in the execution of shellcode, which is used to retrieve a second-stage payload called Corelump from a remote server in the form of a JPEG image that also embeds a loader named Jumplump that, in turn, loads the Corelump into memory.
The evasive implant comes with a wide range of capabilities, including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from the remote server.
Also deployed during the attacks were bespoke utilities like Mex, a command-line tool to run open source security plugins like Chisel, and PassLib, a tool to dump credentials from browsers, email clients, and the Windows credential manager.
Microsoft said it uncovered KNOTWEED actively serving malware since February 2020 through infrastructure hosted on DigitalOcean and Choopa, alongside identifying subdomains that are used for malware development, debugging Mex, and staging the Subzero payload.
Multiple links have also been unearthed between DSIRF and the malicious tools used in KNOTWEED’s attacks.
“These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF,” Redmond noted.
Subzero is no different from off-the-shelf malware such as Pegasus, Predator, Hermit, and DevilsTongue, which are capable of infiltrating phones and Windows machines to remotely control the devices and siphon off data, sometimes without requiring the user to click on a malicious link.
If anything, the latest findings highlight a burgeoning international market for such sophisticated surveillance technologies to carry out targeted attacks aimed at members of civil society.
Although companies that sell commercial spyware advertise their wares as a means to tackle serious crimes, evidence gathered so far has found several instances of these tools being misused by authoritarian governments and private organizations to snoop on human rights advocates, journalists, dissidents, and politicians.
Google’s Threat Analysis Group (TAG), which is tracking over 30 vendors that hawk exploits or surveillance capabilities to state-sponsored actors, said the booming ecosystem underscores “the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments.”
“These vendors operate with deep technical expertise to develop and operationalize exploits,” TAG’s Shane Huntley said in a testimony to the U.S. House Intelligence Committee on Wednesday, adding, “its use is growing, fueled by demand from governments.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.
Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.
Hello everyone! Microsoft has been acting weird lately. I mean the recent publication of a propaganda report about evil Russians and how Microsoft is involved in the conflict between countries. It wouldn’t be unusual for a US government agency, NSA or CIA to publish such a report. But when a global IT vendor, which, in […]
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. I could spend time in this newsletter every week talking about fake news. There are always so many ridiculous memes, headlines, misleading stories, viral Facebook posts and manipulated media that I see come across my Instagram feed or via my wife when she shows me TikToks she favorited. One recent event, though, was so crushing to me that I had to call it out specifically. Former Japanese Prime Minister Shinzo Abe was assassinated earlier this month while making a campaign speech in public. This was a horrible tragedy marking the death of a powerful politician in one of the world’s most influential countries. It was the top story in the world for several days and was even more shocking given Japan’s strict gun laws and the relative infrequency of any global leaders being the target of violence. It took no time for the internet at large to take this tragedy and immediately try to spin it to the...
Feds urge U.S. agencies to patch a Microsoft July Patch Tuesday 2022 bug that is being exploited in the wild by August 2.
July's Patch Tuesday gives us a lot of important security updates. Most prominently, a known to be exploited vulnerability in Windows CSRSS. The post Update now—July Patch Tuesday patches include fix for exploited zero-day appeared first on Malwarebytes Labs.
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.
Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22049.
July's security update included fixes for one actively exploited flaw, more than 30 bugs in Azure Site Recovery, and four privilege escalation bugs in Windows Print Spooler.
By Jon Munshaw and Tiago Pereira. Microsoft released its monthly security update Tuesday, disclosing more than 80 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild. July's security update... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.