Microsoft security and threat intelligence teams reportedly caught an Austrian company selling spyware based on previously unknown Windows exploits.
The new details were released Wednesday in a technical blog post from Microsoft’s Threat Intelligence Center (MSTIC), published to coincide with written testimony given by the software company to a House Intelligence Committee hearing on commercial spyware and the cyber surveillance.
The spyware developer – officially named DSIRF but Microsoft tracks under the codename KNOTWEED – has created spyware known as Subzero which has been used to target law firms, banks and consulting firms in the UK, Austria and Panama, Microsoft said. MSTIC’s analysis revealed that exploits used by DSIRF to compromise systems included a Windows zero-day privilege escalation exploit and an Adobe Reader remote code execution attack. Microsoft says the exploit used by DSIRF has now been patched in a security update.
DSIRF claims to help multinationals perform risk analysis and collect business intelligence, but Microsoft (and other local news reports) have linked the company to the sale of spyware used for unauthorized surveillance. Per Microsoft blog post:
MSTIC has found several links between DSIRF and the exploits and malware used in these attacks. These include the command and control infrastructure used by the malware directly linked to DSIRF, a GitHub account associated with DSIRF used in an attack, a code signing certificate issued to DSIRF used to sign an exploit and other open source reporting. assigning Subzero to DSIRF.
The new information about Microsoft’s tracking and mitigation of DSIRF/KNOTWEED exploits was released alongside a written testimony document submitted to the hearing on “Combating Threats to U.S. National Security Through the proliferation of foreign commercial spyware”, which was held on 27 July.
Microsoft’s written testimony describes a largely unregulated commercial spyware industry where private actors were free to contract with repressive regimes around the world.
“More than a decade ago, we began to see private sector companies enter this sophisticated surveillance space as autocratic nations and smaller governments sought out the capabilities of their larger, better-resourced counterparts. “, says the testimony.
“In some cases, companies were developing capabilities that governments could use in accordance with the rule of law and democratic values. But in other cases, companies have begun to build and sell surveillance as a service…to authoritarian governments or governments acting inconsistently with the rule of law and human rights standards. ‘man.
To combat the threat to free speech and human rights, Microsoft advocates that the United States help advance the debate over spyware as a “cyber weapon”, which could then be subject to global standards and regulations as are other classes of weapons.
At the same hearing, the Intelligence Committee also received testimony from Carine Kanimba, daughter of imprisoned Rwandan activist Paul Rusesabagina, who is credited with saving 1,200 Rwandans during the 1994 genocide. she was pleading for her father’s release, researchers believed that Kanimba’s phone had been infected with NSO Group’s Pegasus spyware.
“Unless there are consequences for countries and their enablers who misuse this technology, none of us are safe,” Kanimba said.
The NSO Group was also referenced by Citizen Lab senior researcher John Scott-Railton, another expert witness who testified before the committee. Scott-Railton described a changing global landscape in which access to the most sophisticated and intrusive digital surveillance techniques – once available only to a handful of nation states – was becoming more widespread due to the involvement of “mercenary spyware companies”.
The greater capacity of these tools meant that even US officials were more likely to be targeted, as reportedly happened to nine State Department employees working in Uganda whose iPhones were hacked with NSO’s Pegasus.
“It is clear that the United States government is not immune to the threat of mercenary spyware,” Scott-Railton said.