Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Candiru. Show all posts

Israel Limits Cyberweapons Export List from 102 to 37 Nations

 

The Israeli government has limited the number of nations to which local security businesses can sell surveillance and offensive hacking equipment by nearly two-thirds, reducing the official cyber export list from 102 to 37. 

Only nations with established democracies are included in the new list, which was obtained by Israeli business publication Calcalist earlier today, such as those from Europe and the Five Eyes coalition: 

Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Iceland, India, Ireland, Italy, Japan, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, New Zealand, Norway, Portugal, Romania, Slovakia, Slovenia, South Korea, Spain, Sweden, Switzerland, the Netherlands, the UK, and the US. 

Autocratic regimes, to which Israeli corporations have frequently sold surveillance tools, are strikingly absent from the list. Spyware produced by Israeli businesses such as Candiru and the NSO Group has been attributed to human rights violations in tens of nations in recent years, with local governments using the tools to spy on journalists, activists, dissidents, and political opponents. 

The government has not issued a comment on the list's update, according to Calcalist journalists, and it is unclear why it was cut down earlier this month. The timing, on the other hand, shows that the Israeli government might have been driven it to make this choice. 

The list was updated a week after a covert meeting between Israeli and French officials to address suspicions that NSO Group malware was deployed against French President Emmanuel Macron. The announcement coincided with the US sanctioning of four monitoring firms, including Israel's Candiru and NSO Group. 

The penalties are reported to have sent NSO into a death spiral, with the business sliding from a prospective sale to French investors to losing its newly-appointed CEO and perhaps filing for bankruptcy as it has become company-non-grata in the realm of cyberweapons. 

Azimuth Security co-founder Mark Dowd discussed Israeli-based surveillance distributors and their knack for selling to offensive regimes in an episode of the Risky Business podcast last month, blaming it on the fact that these companies don't usually have connections in western governments to compete with western competitors. 

With the Israeli Defense Ministry tightening restrictions on cyber exports to autocratic regimes, the restricted cyber export list is likely to make a significant hole in Israel's estimated $10 billion surveillance sector.

As per a study released earlier this month by the Atlantic Council, there are roughly 224 firms providing surveillance and hacking tools, with 27 of them located in Israel.

Israeli Spyware Firm Attributed to Watering Hole Attacks on Middle East & UK websites

 

ESET researchers have discovered a new cyber campaign that used Candiru's malware, which is located in Tel Aviv, to target websites and services in various Middle Eastern nations, including Saudi Arabia and Iran. 

Candiru, like NSO Group, distributes malware to government agencies, and the US placed it on trade backlists earlier this month, along with a Russian corporation and a Singapore-based company. The latest offensive utilizes 'watering hole' attacks, in which attackers install malicious code on legitimate websites that the targets are likely to visit. When a user visits the page, the malware infects their computer, allowing attackers to eavesdrop on them or harm them in other ways. 

According to ESET, the websites targeted were Middle East Eye, a London-based news organisation, and Almasirah, a Yemeni news agency linked to the Houthi rebels battling the Saudis. Websites belonging to the Iranian foreign ministry, Yemen's finance and interior ministries, and Syria's energy ministry, as well as internet service providers in Syria and Yemen, were also targeted by the attackers. 

Sites run by the Italian corporation Piaggio Aerospace, the pro-Iranian militant group Hezbollah, and The Saudi Reality, a Saudi Arabian dissident media website, were among the other targets. The cybercriminals also established a website that appeared like a medical trade show in Germany, as per researchers. ESET estimates that certain visitors to these sites were targeted via a browser exploit, although they were unable to get the vulnerability or the payload. 

ESET researcher Matthieu Faou who uncovered the cyber campaign, stated, "On July 11, 2020, our system notified us that the website of the Iranian embassy in Abu Dhabi had been tainted with malicious JavaScript code. Our curiosity was aroused by the high-profile nature of the targeted website, and in the following weeks we noticed that other websites with connections to the Middle East were also targeted." 

The researchers have detected no activity from this operation since the end of July 2021, when Google, Citizen Lab, and Microsoft released blog articles outlining Candiru's actions - and about the same time that NSO Group became global news.

"The operators appear to be taking a pause, probably in order to retool and make their campaign stealthier," Faou continued. 

Candiru, which has gone by numerous names since its debut in 2014, has a limited amount of information available. Saito Tech Ltd. is the company's current name, and it has several investors in common with NSO Group.  

In July, Citizen Lab and Microsoft researchers stated that more than 100 journalists, politicians, human rights activists, and dissidents in several countries were targeted in a spyware operation that deployed sophisticated 'cyberweapons' created by Candiru, 

Candiru, according to Citizen Lab, offers spyware to governments and authoritarian leaders only, who then use the tools to hijack PCs, Macs, phones, and cloud accounts. Candiru's clients can attempt to breach an infinite number of devices for €16 million (£13.4 million), but they can only actively track 10 devices at a time, according to the Citizen Lab. Buyers may pay an extra €1.5 million (about £1.25 million) to have Candiru monitor an additional 15 victims.

Israeli Firm Assisted Governments Target Journalists & Activists with Zero Days and Spyware

 

Microsoft as part of its Patch on Tuesday fixed two of the zero-day Windows flaws weaponized by Candiru, an Israeli firm in a series of "precision attacks" to hack more than 100 journalists, academics, activists, and political dissidents globally. 

According to a report published by the University of Toronto's Citizen Lab, the spyware vendor has also been formally identified as the commercial surveillance firm that Google's Threat Analysis Group (TAG) revealed was exploiting multiple zero-day vulnerabilities in Chrome browser to attack victims in Armenia. 

"Candiru's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab researchers stated.

"This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services." 

Founded in 2014, the private-sector offensive actor (PSOA) — codenamed "Sourgum" by Microsoft — is stated to be the creator of DevilsTongue, an espionage toolkit able to infect and track a wide range of devices across multiple platforms, including iPhones, Androids, Macs, PCs, and cloud accounts. 

After gaining a hard drive from "a politically active victim in Western Europe," Citizen Lab stated it was able to restore a copy of Candiru's Windows spyware, which was then reverse engineered to identify two never-before-seen Windows zero-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771 that were leveraged to install malware on victim boxes. 

The infection chain used a combination of browser and Windows vulnerabilities, with the latter being transmitted through single-use URLs emailed on WhatsApp to targets. On July 13, Microsoft patched both privilege escalation issues, which allow an attacker to bypass browser sandboxes and obtain kernel code execution. 

The attacks resulted in the deployment of DevilsTongue, a modular C/C++-based backdoor capable of exfiltrating files, exporting messages saved in the encrypted messaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers. Microsoft discovered that the digital weapon could gather data, read the victim's messages, get photos, and even send messages on their behalf using stolen cookies from logged-in email and social media accounts including Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte.

Furthermore, the Citizen Lab study linked two Google Chrome vulnerabilities — CVE-2021-21166 and CVE-2021-30551 — to the Tel Aviv firm, citing similarities in the websites used to disseminate the exploits. 

A total of 764 domains related to Candiru's spyware infrastructure were discovered, many of which purported to be advocacy groups such as Amnesty International, the Black Lives Matter movement, media businesses, and other civil-society-oriented enterprises. 

Saudi Arabia, Israel, the United Arab Emirates, Hungary, and Indonesia were among the countries that ran systems under their authority. 

According to a Microsoft report, an Israeli hacking-for-hire firm has assisted government clients in spying on more than 100 people throughout the world, including politicians, dissidents, human rights activists, diplomatic staff, and journalists.

Among other well-known news outlets, the Guardian and the Washington Post released information of what they termed "global surveillance operations" using Pegasus. The surveillance is said to be aimed at journalists and according to the claims, Pegasus malware is being used to spy on people by over ten nations. 

SOURGUM's malware has so far targeted over 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. 

These attacks mostly targeted consumer accounts, implying that Sourgum's users were pursuing part of the attack. TAG researchers Maddie Stone and Clement Lecigne noticed a rise in attackers utilizing more zero-day vulnerabilities in their cyber offensives in the early 2010s, which they attribute to more commercial vendors offering access to zero-day flaws. 

Microsoft Threat Intelligence Center (MSTIC) stated in a technical rundown, "Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets' computers, phones, network infrastructure, and other devices.” 

"With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only add to the complexity, scale, and sophistication of attacks," MSTIC added.