According to Microsoft, an Israeli company Candiru was responsible for spreading DevilsTongue malware that compromised the security of PCs running the Windows operating system. The Redmond-based company has cracked down on SOURGUM, a private-sector offensive actor (PSOA), which according to the company, exploited two Windows 0-day vulnerabilities – CVE-2021-31979 and CVE-2021-33771. Both the vulnerabilities have already been patched.
DevilsTongue malware used Browser and Windows exploits
Private-sector offensive actors manufacture and sell cyberweapons to government agencies around the world.
“We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers,” Microsoft said.
Microsoft acted on the tip by Citizen Lab, which then helped the software giant crackdown on SOURGUM. Microsoft and Citizen Lab have neutralized the DevilsTongue malware threat, which affected more than 100 victims worldwide. Some of the prominent victims of this coordinated malware attack include politicians, human rights activists, journalists, and academics, embassy workers, and political dissidents. Microsoft jas issued a software update to protect Windows customers from the underlying 0-day exploits.
Per media reports, private-sector offensive actors often sell Windows exploits and malware to government agencies in Uzbekistan, United Arab Emirates, and Saudi Arabia.
“Approximately half of the victims were found in Palestinian Authority, with most of the remaining victims located in Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore,” Microsoft added.
However, it doesn’t necessarily mean that government agencies in countries where victims were found are SOURGUM customers, Microsoft has clarified. SOURGUM likely uses a chain of browser and Windows exploits to install malware on Windows machines, courtesy of a link shared over applications like WhatsApp. Both the CVE-2021-31979 and CVE-2021-33771 vulnerabilities could allow an attacker to elevate SYSTEM privileges.
DevilsTongue malware uses cookies to collect information, read the victim’s messages, and retrieve photos. It could also send malicious links to other people on behalf of victims. Windows users who have installed the July 2021 security update are protected from two Windows 0-day exploits for vulnerabilities: CVE-2021-31979 and CVE-2021-33771.
