Microsoft said Wednesday that an Austria-based company called DSIRF used several days of Windows and Adobe Reader to hack organizations located in Europe and Central America.
Several news outlets have published articles like this one, which cited marketing and other evidence linking DSIRF to Subzero, a malicious toolkit for “automated extraction of sensitive/private data” and “custom accesses” [including] Identification, tracking and penetration of threats.”
Members of the Microsoft Threat Information Center, or MSTIC, said they discovered the Subzero malware infection was spreading through a variety of methods, including exploiting what was then Windows and Adobe Reader, which meant attackers knew about the vulnerabilities from Before Microsoft and Adobe did. The targets of the attacks observed so far include law firms, banks and strategic consulting firms in countries such as Austria, the United Kingdom and Panama, although these are not necessarily the countries where DSIRF clients who paid for the attack reside.
“MSTIC has found multiple links between DSIRF and the vulnerabilities and malware used in these attacks,” Microsoft researchers wrote. “This includes the command and control infrastructure used by malware that links directly to DSIRF, a GitHub account linked to DSIRF that is being used in a single attack, a code signing certificate issued to DSIRF that is used to sign an exploit, and other open source news reports that Subzero has attributed to DSIRF.”
An email sent to DSIRF for comment was not returned.
Wednesday’s post is the latest targeting the scourge of mercenary spyware sold by private companies. The Israel-based NSO Group is the best known example of a for-profit company selling expensive exploits that often endanger the equipment of journalists, lawyers and activists. Microsoft and University of Toronto Citizen Lab last year profiled another mercenary based in Israel called Candiru, who was recently discovered organizing phishing campaigns on behalf of customers that can bypass two-factor authentication.
Also on Wednesday, the US House of Representatives Permanent Select Committee on Intelligence held a hearing on the spread of foreign commercial spyware. One of the speakers was the daughter of a former hotel manager in Rwanda who was imprisoned after saving hundreds of lives and speaking out about the genocide that occurred. She recounted the experience of hacking her phone with NSO spyware on the same day she met the Belgian Foreign Minister.
Referring to DSIRF using the KNOTWEED work, Microsoft researchers wrote:
In May 2022, MSTIC found a remote Adobe Reader code execution (RCE) and a 0-day Windows privilege escalation exploit chain used in an attack that led to the Subzero deployment. The vulnerabilities were compiled in a PDF document sent to the victim via email. Microsoft was unable to obtain the PDF or Adobe Reader RCE portion of the exploit string, but the victim’s version of Adobe Reader was released in January 2022, meaning the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on heavy KNOTWEED usage for another 0 days, we assess with medium confidence that Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 1-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we haven’t seen any evidence of browser-based attacks.
The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Runtime Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a prepared assembly statement, which would create a malicious activation context in the activation context cache, to an arbitrary process. This cached context is used the next time the process is spawned.
CVE-2022-22047 was used in KNOTWEED privilege escalation attacks. The vulnerability also introduced the ability to escape from the sandbox (with some caveats, as shown below) and achieve system-wide code execution. The exploit chain starts with writing a malicious DLL file to disk from the sandboxed Adobe Reader viewer process. Then the CVE-2022-22047 exploit was used to target the system process by providing an application manifest with an undocumented attribute that specifies the path of the malicious DLL. Then, when the next system process appears, the theme is used in the context of malicious activation, the malicious DLL is loaded from the specified path, and the code is executed at the system level.
Wednesday’s post also provides detailed indications of the settlement that readers can use to determine if they have been targeted by the DSIRF.
Microsoft has used the term PSOA – short for private sector actor – to describe cyber mercenaries like DSIRF. The company said most PSOAs operate under one or both models. The first, Access as a Service, sells comprehensive hacking tools for customers to use in their own operations. In the other model, hack vs. hire, PSOA performs the same target operations.
Microsoft researchers wrote: “Based on the observed attacks and news reports, MSTIC believes that KNOTWEED may integrate these models: it sells Subzero malware to third parties but has also been observed using KNOTWEED-related infrastructure in some attacks, indicating further Direct participation.
#Microsoft #Day #sold #Austrian #company #hack #Windows #users