Microsoft announces that Israeli private sector may have developed 'Devils Tongue' malware that exploits Windows zero-day vulnerabilities



Microsoft announced that it has taken measures against the malware 'DevilsTongue ' that attacks the zero-day vulnerability of Windows 10 developed and sold by a group called 'Sourgum'. More than 100 people have been victims of Devils Tongue, including politicians and human rights activists, and Microsoft and the University of Toronto security research organization

Citizen Lab point out that 'Sourgum is an Israeli private security company.'

Fighting cyberweapons built by private businesses --Microsoft On the Issues
https://blogs.microsoft.com/on-the-issues/2021/07/15/cyberweapons-cybersecurity-sourgum-malware/



Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware | Microsoft Security Blog
https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/


Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus --The Citizen Lab
https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/


According to Microsoft, the attack in question targeted the Windows zero-day vulnerabilities CVE-2021-31979 and CVE-2021-33771 with malware called 'DevilsToungue ', which allowed the attacker to remotely privilege and kernel code. To be able to execute.

Devils Tongue is a 'complex modular multithreaded malware' written in C and C ++ that collects files, executes commands, scans credentials from browsers such as Chrome and Firefox, and intercepts conversations from the encrypted messaging app Signal. And so on. Furthermore, it is said that it will multiply by creating a malicious link and sending it from the victim's PC. According to Microsoft, the driver used by Devils Tongue will be blocked by updating to the latest version of Windows 10 and enabling 'Block exploited vulnerable signed drivers' from Microsoft Defender for Endpoints. Will be done.

According to a Microsoft study, at least 100 people have been affected by Devils Tongue in Palestine, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia and Singapore. Many of the victims were human rights activists, dissidents, journalists, embassy staff, and politicians. Microsoft calls the group that developed and distributed Devils Tongue under the codename 'Sourgum' and points out that it is a private sector offensive actor (PSOA).

Citizen Lab, which analyzed Devils Tongue in collaboration with Microsoft, asserts that a company called 'Candiru' based in Tel Aviv, Israel is the true identity of Sourgum.



Founded in 2014, Candiru has been changing its name four to five times and is said to be made up of former members of the Israeli Defense Forces intelligence unit, Unit 8200. There are many similar cybersecurity companies in Israel, and it is known that there is a huge cybersecurity market that develops and sells spy tools and malware.

Israel's cybersecurity industry consists of military secret societies-GIGAZINE



Candiru is recognized as a PSOA because it sells its products to government agencies, and Citizen Lab suggests that government agencies may be hacking with Devils Tongue. The establishment of the commercial spyware market in the Israeli cybersecurity market is a hotbed for cybercrime, and we strongly urge that it should be strictly regulated.

in Security, Posted by log1i_yk