Microsoft announced that it has prepared a countermeasure against DevilsTongue, a malware that attacks a Windows 10 zero-day vulnerability developed and sold by a group called Sourgum. More than 100 people, including politicians and human rights activists, have been victims of Devil’s Tongue.
According to Microsoft, the attack in question was a Windows zero-day vulnerability (CVE-2021-31979, CVE-2021-33771) that could allow an attacker to remotely gain privileges and execute kernel code by targeting a malware called Devilstongue. will be.
Devilston is a complex, modular, multi-threaded malware written in C and C++ that collects files and executes commands, credential in browsers like Chrome or Firefox, encrypts credentials, and blocks conversations in Signal, a messaging application. It also creates a malicious link and transmits it to the victim’s PC to multiply. In addition, according to Microsoft, after updating to the latest version of Windows 10, Microsoft Defender for Endpoint blocks drivers that use Devilstonk by using the exploited vulnerability signed driver blocking.
According to a Microsoft investigation, at least 100 people, including Palestine, Israel, Iran, Lebanon, Yemen, Spain, the UK, Turkey, Armenia and Singapore, are affected by Devilstongue. Victims were said to have been human rights activists, dissidents, journalists, embassy employees and politicians. Microsoft points out that the group that developed and distributed Devilstonk is the PSOA, a civilian attacker codenamed Sorgum.
The Citizens Lab, which analyzed Devilston in collaboration with Microsoft, asserts that a company called Candiru, headquartered in Tel Aviv, Israel, is the identity of Sorgum. Since its establishment in 2014, Kandiru has changed its name four or five times and has been active continuously, and it is known that it consists of former members of Unit 8200, an intelligence unit of the Israel Defense Forces. There are also many similar cybersecurity companies in Israel, and it is known that there is a huge cybersecurity market that develops and sells spy tools and malware.
Candiru is recognized as a PSOA because it sells products to government agencies, Citizen Lab suggests that government agencies are hacking using Devilstongue, and the establishment of a commercial spyware market in the Israeli cybersecurity market is a cybercrime. Since it is becoming a hotbed, they are appealing for strict regulation. Related information can be found here.