Behind exploits for vulnerabilities 0-day and previously unknown software DevilsEye with the Israeli company Candiru.
Experts Microsoft and Citizen Lab revealed the connection between the Israeli company Candiru and two exploits of zero day vulnerabilities on Windows, used to deploy a previously unknown spyware on your device for at least hundreds of victims, including politicians, human rights defenders, journalists, scientists, employees of embassies and dissidents …
Founded in 2014, Candiru is part of a thriving Israeli cyber security market that specializes in selling hacking tools to government intelligence agencies around the world. Although it has long been known about its business, there was little information about the company or its capabilities, and the reports from Microsoft and Citizen Lab are the first to provide a detailed technical analysis of one of Candiru’s hacking tools.
This is a tool called DevilsEye, a Windows malware with spyware functionality that gives Candiru clients full access to an infected device.
For the first time, researchers from the Citizen Lab at the University of Toronto learned about the existence of DevilsEye. They stumbled upon him while conducting an examination of the device of a “politically active victim in Western Europe” and passed their find on to colleagues at Microsoft. Thanks to its extensive telemetry database, the company was able to identify at least one hundred DevilsEye-infected devices in Palestine, Israel, Iran, Lebanon, Yemen, Spain, Great Britain, Turkey, Armenia and Singapore.
According to Microsoft, the malware typically spread through sites with exploit kits for browser vulnerabilities. The victim was lured to these sites, and after exploiting the vulnerabilities, malware was installed on her device, then used a second stage exploit to gain administrator rights on Windows.
The attack chain was well thought out and exploited previously unknown vulnerabilities (zero-day vulnerabilities). This includes two vulnerabilities in Chrome ( CVE-2021-21166 and CVE-2021-30551 ), a vulnerability in Internet Explorer ( CVE-2021-33742 ), and two in Windows ( CVE-2021-31979 and CVE-2021-33771 ) … All vulnerabilities have now been fixed.
The first three vulnerabilities were discovered by Google experts, who recently published a report on them. The company attributed exploits for vulnerabilities in Chrome and IE to an unnamed vendor of commercial surveillance software. According to Google, the exploits were sold to at least two government-backed cybercriminal groups who used them to attack users in Armenia. Later, the experts supplemented their report, saying that the company in question is Candiru.
Catch up on more stories here
Follow us on Facebook here