Israeli Company Aided Governments in Targeting Journalists and Activists with Zero-Day Exploits and Spyware

Two recently patched zero-day vulnerabilities in Windows, addressed in Microsoft’s Patch Tuesday update, were reportedly exploited by the Israeli firm Candiru in a series of targeted attacks on over 100 journalists, academics, activists, and political dissidents worldwide. This spyware vendor has also been identified by Google’s Threat Analysis Group (TAG) as having exploited various zero-day vulnerabilities in the Chrome browser to compromise targets in Armenia, according to a report by the University of Toronto’s Citizen Lab. Citizen Lab researchers noted that “Candiru’s widespread presence and the use of its surveillance technology against global civil society highlight the significant risks posed by the mercenary spyware industry, which is rife with potential for abuse.”

Israeli Company Utilizes Zero-Day Exploits to Target Journalists and Activists

On July 16, 2021, revelations emerged regarding the actions of Candiru, an Israeli surveillance firm, which is reported to have employed two zero-day vulnerabilities in Windows. These flaws were addressed in Microsoft’s recent Patch Tuesday update and were allegedly used to conduct a series of targeted attacks affecting over 100 individuals worldwide, including journalists, academics, activists, and political dissidents. The exploitations are indicative of the growing capabilities of commercial spyware entities that increasingly pose a threat to global civil society.

The University of Toronto’s Citizen Lab has highlighted Candiru’s role as a key player in this landscape of digital espionage. The research unit detailed that the company exploited multiple zero-day vulnerabilities within the Chrome browser, targeting victims specifically located in Armenia. This activity underscores the alarming reach of Candiru’s tools, which are designed to undermine the safety of individuals engaged in free expression and dissent.

As the report outlines, the oppressive potential of tools like those offered by Candiru serves as a stark warning regarding the mercenary spyware industry. The widespread nature of such technologies raises significant ethical concerns, especially considering how they are often weaponized against civil society. The Citizen Lab researchers emphasized that the ongoing abuses within this sector point to an urgent need for international safeguards against such invasions of privacy.

In examining the tactics that may have been employed in these attacks, one can reference the MITRE ATT&CK framework. The initial access likely involved exploiting the identified vulnerabilities, which allowed the attackers to infiltrate targeted systems discreetly. From there, techniques such as persistence could have been established, ensuring that the spyware remained operational even after initial detection efforts. Furthermore, privilege escalation might have been pursued to gain elevated access rights, enabling extensive surveillance capabilities over the victims’ devices.

The implications of such targeted operations extend far beyond individual cases, highlighting a broader trend where surveillance technology is increasingly deployed to control narratives and suppress dissent. The escalating nature of these threats necessitates that business owners and cybersecurity professionals remain vigilant, ensuring their own systems are fortified against similar exploits.

As the landscape of cyber threats evolves, it becomes ever more critical for organizations to understand the potential risks associated with zero-day vulnerabilities and the methodologies employed by malicious actors. Stakeholders within the tech community should prioritize proactive measures to safeguard sensitive data, while also advocating for more robust regulations to govern the spyware industry.

In conclusion, the actions of Candiru represent not only a significant breach of trust but also a challenging scenario for those dedicated to maintaining the integrity of civil discourse and the safety of individuals who utilize digital platforms for social and political engagement. As this story develops, the tech community must engage in ongoing discussions about the ethical deployment of technology and the protection of human rights in an increasingly interconnected world.

Source link

Related Posts

China Enacts New Law Mandating Vendors to Report Zero-Day Vulnerabilities to Authorities

On July 17, 2021, the Cyberspace Administration of China (CAC) introduced stricter regulations regarding vulnerability disclosure. Under the new “Regulations on the Management of Network Product Security Vulnerability,” software and networking vendors are required to report critical flaws directly to government authorities within two days of identification. Set to take effect on September 1, 2021, these regulations aim to standardize the processes of discovering, reporting, and addressing security vulnerabilities while mitigating associated risks. Article 4 of the regulation prohibits any organization or individual from exploiting network security vulnerabilities for malicious activities and bans the illegal sale, collection, or publication of such information. The new rules also prevent the public disclosure of previously unknown security weaknesses.

Researcher Reveals Yet Another Unpatched Vulnerability in Windows Printer Spooler

Date: July 19, 2021

Just days after Microsoft raised alarms about an unpatched security flaw in the Windows Print Spooler service, yet another potential zero-day vulnerability has surfaced, marking the fourth printer-related issue identified in recent weeks. Will Dormann from the CERT Coordination Center noted in an advisory on Sunday that “Microsoft Windows allows non-admin users to install printer drivers through Point and Print.” He highlighted that printers installed this way can load arbitrary libraries by the privileged Windows Print Spooler process. Security researcher Benjamin Delpy, known for creating Mimikatz, has disclosed an exploit for this vulnerability. #printnightmare – Episode 4

Millions of HP, Samsung, and Xerox Printers Vulnerable Due to 16-Year-Old Security Flaw

July 20, 2021

A serious security vulnerability has come to light in a software driver used by HP, Xerox, and Samsung printers, lingering undetected since 2005. Assigned CVE-2021-3438 (CVSS score: 8.8), this issue involves a buffer overflow in the “SSPORT.SYS” print driver installer, which could allow for remote privilege escalation and arbitrary code execution. Hundreds of millions of printers worldwide may be affected, although there is currently no evidence of real-world exploitation. The vulnerability, first identified by SentinelLabs researchers on February 18, 2021, was disclosed in an advisory in May, noting its potential to elevate privileges in certain HP LaserJet and Samsung printer models. Fixes for the impacted devices were made available on May 19, 2021.

New Vulnerabilities in Windows and Linux Grant Attackers Elevated System Privileges

July 21, 2021

Recent findings have uncovered a local privilege escalation vulnerability in Microsoft’s Windows 10 and the soon-to-be-released Windows 11, enabling users with limited permissions to access critical system files. This loophole, referred to as “SeriousSAM,” allows unauthorized individuals to potentially reveal the operating system installation password and decrypt private keys.

According to a vulnerability note from the CERT Coordination Center (CERT/CC), since Windows 10 build 1809, non-administrative users have had access to the SAM, SYSTEM, and SECURITY registry hive files, which could lead to local privilege escalation (LPE). The affected operating system configuration files include:

  • c:\Windows\System32\config\sam
  • c:\Windows\System32\config\system
  • c:\Windows\System32\config\security

Microsoft, which has assigned the identifier CVE-2021-36934 to this vulnerability, has acknowledged the issue but has not yet released a patch.