0-days sold by Austrian firm used to hack Windows users, says Microsoft

The word zero-day is hidden between a screen full of zeros and zeros.

Microsoft said on Wednesday that the name of an Austrian company DSIRF Many used Windows and Adobe Reader zero-days to hack organizations based in Europe and Central America.

Many news outlets have published articles such as this onewho quoted marketing materials and other evidence linking DSIRF to Subzero, a malicious toolset for “automatic exclusion of sensitive/private data” and “compliant access operations” [including] Threat identification, tracking and infiltration.”

Members of the Microsoft Threat Intelligence Center, or MSTIC, said they found that Subzero malware infections spread in a variety of ways, including Windows and Adobe Reader zero-days exploits at the time, meaning attackers first learned about vulnerabilities. I knew. Microsoft and Adobe did. Targets of attacks seen to date include law firms, banks and strategic advisors in countries such as Austria, the UK and Panama, although these are not necessarily the countries where the DSIRF customers who paid for the attack lived.

“MSTIC has found several links between DSIRF and the exploits and malware used in these attacks,” the Microsoft researchers wrote. “These include a command-and-control infrastructure used by malware directly associated with DSIRF, a DSIRF-linked GitHub account being used in an attack, a code signing certificate issued to DSIRF to sign an exploit. and other open source news reports attributing Subzero to DSIRF.”


An email sent to DSIRF seeking comment was not returned.

Wednesday’s post is the latest to take aim at the scourge of hired spyware sold by private companies. Israel-based NSO Group is the most famous example of a for-profit company that sells valuable exploits that often compromise equipment belonging to journalists, lawyers and activists. Another Israel-based mercenary named Candiru was profiled last year by Microsoft and the University of Toronto’s Citizen Lab and was recently caught orchestrating phishing campaigns on behalf of customers who could Bypass Two-Factor Authentication,

Also on Wednesday, the US House of Representatives Permanent Select Committee on Intelligence also heard this. proliferation of foreign commercial spyware, One of the speakers was the daughter of a former hotel manager in Rwanda who was imprisoned after saving hundreds of lives and speaking out about the massacre. He narrated the experience of holding his phone Hacked With NSO Spyware The same day she met the Foreign Minister of Belgium.

Referring to DSIRF using the KNOTWEED task, the Microsoft researchers wrote:

In May 2022, MSTIC used an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain in an attack that led to the deployment of Subzero. The exploits were packaged in a PDF document that was sent to the victim via email. Microsoft was not able to obtain the PDF or Adobe Reader RCE portion of the exploit series, but the victim’s Adobe Reader version was released in January 2022, meaning the exploit used was either developed between January and May 1- There was the day exploit, or the 0-day exploit. Based on KNOTWEED’s extensive use of other 0-days, we assess with moderate confidence that Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by the MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we have seen no evidence of browser-based attacks.

CVE-2022-22047 vulnerability is related to a problem activation context Caching in the Client Server Run-time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a ready-made assembly manifest, which would create a malicious activation context in the activation context cache for an arbitrary process. This cached reference is used the next time the process is spawned.

CVE-2022-22047 was used for privilege escalation in KNOTWEED related attacks. The vulnerability also provided the ability to escape from the sandbox (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain begins with a sandboxed Adobe Reader renderer process writing a malicious DLL to disk. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an unspecified attribute that specified the path to the malicious DLL. Then, when the system process is next spawned, the attribute is used in the malicious activation context, the malicious DLL is loaded from the given path, and system-level code execution is achieved.

Wednesday’s post also provides detailed indicators of compromise that readers can use to determine if they have been targeted by DSIRF.

Microsoft used the term PSOA—for private sector offensive actor—to describe cyber mercenaries such as the DSIRF. The company said that most PSOAs operate under one or two models. The first, Access-as-a-Service, sells customers complete end-to-end hacking tools for use in their own operations. In the second model, hack-for-hire, PSOA performs the targeted tasks on its own.

“Based on observed attacks and news reports, MSTIC believes that KNOTWEED may combine these models: they sell Subzero malware to third parties, but some attacks use the infrastructure associated with KNOTWEED. , suggesting more direct involvement,” the Microsoft researchers wrote.

Leave a Reply

Your email address will not be published.