Microsoft said Wednesday that an Austrian company called DSIRF used multiple zero-days of Windows and Adobe Reader to hack organizations based in Europe and Central America.
Several news outlets published articles like this one, citing marketing materials and other evidence linking DSIRF to Subzero, a malicious toolset for “automated exfiltration of sensitive / private data” and “custom login operations.” [including] identification, tracking and infiltration of threats “.
Members of the Microsoft Threat Intelligence Center, or MSTIC, said they encountered Subzero malware infections spread through a variety of methods, including exploiting what were then Windows and Adobe Reader zero-day, which means that attackers were aware of the vulnerabilities before Microsoft and Adobe did. Targets of the attacks observed to date include law firms, banks and strategic consulting firms in countries such as Austria, the United Kingdom and Panama, although these are not necessarily the countries where the DSIRF clients who paid for the attack resided.
“MSTIC found multiple links between DSIRF and the exploits and malware used in these attacks,” the Microsoft researchers wrote. “These include the command and control infrastructure used by malware that links directly to DSIRF, a DSIRF-associated GitHub account used in an attack, a code-signing certificate issued to DSIRF used to sign an exploit, and other news reports open source by attributing Subzero to the DSIRF.
An email sent to DSIRF looking for comments was not returned.
Wednesday’s post is the latest to target the scourge of mercenary spyware sold by private companies. The Israel-based NSO group is the best-known example of a for-profit company selling expensive exploits that often compromise devices belonging to journalists, lawyers and activists. Another Israel-based mercenary named Candiru was profiled by Microsoft and the University of Toronto’s Citizen Lab last year and was recently caught orchestrating phishing campaigns on behalf of customers who could bypass two-factor authentication. .
Also on Wednesday, the US House of Representatives Standing Select Committee on Intelligence held a hearing on the proliferation of foreign commercial spyware. One of the speakers was the daughter of a former hotel manager in Rwanda who was imprisoned after saving hundreds of lives and talking about the genocide that had taken place. She recounted the experience in which her phone was hacked with NSO spyware on the same day that she met the Belgian foreign minister.
Referring to DSIRF using the KNTWEED work, Microsoft researchers wrote:
In May 2022, MSTIC detected a remote code execution (RCE) of Adobe Reader and a chain of 0-day Windows privilege escalation exploits used in an attack that led to the distribution of Subzero. The exploits were packaged in a PDF document which was sent to the victim via email. Microsoft was unable to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning the exploit used was a 1-day exploit developed between January and May or a 0 day exploit. Based on KNOWEED’s extensive use of an additional 0 days, we evaluate with medium confidence that Adobe Reader RCE is a 0 day exploit. The Windows exploit was analyzed by MSRC, believed to be a 0 day exploit and then corrected in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was designed to be used by Chromium-based browsers as well, although we didn’t see any evidence of browser-based attacks.
Vulnerability CVE-2022-22047 is related to an issue with activation context caching in the client server runtime subsystem (CSRSS) on Windows. At a high level, the vulnerability could allow an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next generation of the process.
CVE-2022-22047 was used in KNTWEED-related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-wide code execution. The exploit chain begins with writing a malicious DLL to disk from the Adobe Reader sandbox rendering process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path to the malicious DLL. Then, on the next generation of the system process, the attribute in the malicious activation context was used, the malicious DLL was loaded from the specified path, and system-level code execution was achieved.
Wednesday’s post also provides detailed indicators of compromise that readers can use to determine if they have been targeted by DSIRF.
Microsoft used the term PSOA, short for private sector offensive actor, to describe cyber mercenaries such as DSIRF. The company said most PSOAs operate with one or both of the two models. The first, access-as-a-service, sells complete end-to-end hacking tools to customers for use in their operations. In the other model, hack-for-hire, the PSOA personally performs the targeted operations.
“Based on the observed attacks and the news, MSTIC believes that KNOTWEED may merge these models: they sell Subzero malware to third parties but have also been observed using the infrastructure associated with KNOTWEED in some attacks, suggesting more direct involvement,” they wrote. Microsoft researchers.