Israeli Firm Candiru's Spyware Used to Target DissidentsResearchers: Spyware Targets 100 Victims in 10 Countries
Cyberattackers used spyware from the Israeli firm Candiru to target at least 100 human rights defenders, dissidents, journalists and others across 10 countries, according to researchers at the University of Toronto’s Citizen Lab, which tracks illegal hacking and surveillance.
“Based on our analysis of Internet scanning data, we believe that there are Candiru systems operated from Saudi Arabia, Israel, UAE, Hungary and Indonesia, among other countries,” the researchers say in their new report.
Those targeted with the spyware, which is designed for use by governments, were human rights defenders, dissidents, journalists, activists and politicians located in the Palestinian territories, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia and Singapore, the researchers say.
The researchers say they "identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies and other civil society-themed entities."
Certain governments are using surveillance of perceived opponents to undermine opposition, according to the U.K. law firm Leigh Day. “This threat of surveillance has the effect of chilling activism and significantly contributes to a climate of repression,” the company says.
Microsoft Flaws Fixed
The Candiru spyware exploits two privilege escalation vulnerabilities in Microsoft Windows Server, CVE 2021 33771 and CVE-2021-31979. The two flaws were patched by Microsoft on Tuesday, the company notes in an alert (see: Microsoft Releases Patches for 4 Exploited Zero-Day Flaws).
The Israeli firm's spyware was used in “precision attacks” against targets’ computers, phones, network infrastructure and internet-connected devices, says Cristin Goodwin, general manager of Microsoft’s digital security unit.
Microsoft, which did not refer to Candiru by name - instead calling the surveillance providers Sourgum and the spyware DevilsTongue - says it began initiating patching after being alerted by Citizen Lab.
"By examining how Sourgum's customers were delivering DevilsTongue to victim computers, we saw they were doing so through a chain of exploits that impacted popular browsers and our Windows operating system," Microsoft says. "Earlier this week, we released updates that, when installed, protect Windows customers from two key Sourgum exploits."