Security News > 2021 > July > Microsoft: Israeli firm used Windows zero-days to deploy spyware
Microsoft and Citizen Lab have linked Israeli spyware company Candiru to new Windows spyware dubbed DevilsTongue deployed using now patched Windows zero-day vulnerabilities.
The investigation into Candiru's attacks started after Citizen Labs shared malware samples found on a victim's systems and led to the discovery of CVE-2021-31979 and CVE-2021-33771, two zero-day vulnerabilities fixed by Microsoft during this month's Patch Tuesday.
The attackers delivered the DevilsTongue malware to victims' computers using an exploit chain that abused vulnerabilities in several popular browsers and the Windows operating system.
DevilsTongue allows its operators to collect and steal victims' files, decrypt and steal Signal messages on Windows devices, and steal cookies and saved passwords from LSASS and Chrome, Internet Explorer, Firefox, Safari, and Opera web browsers.
"DevilsTongue can also send messages as the victim on some of these websites, appearing to any recipient that the victim had sent these messages," as Microsoft researchers further found out.
"The protections we issued this week will prevent Sourgum's tools from working on computers that are already infected and prevent new infections on updated computers and those running Microsoft Defender Antivirus as well as those using Microsoft Defender for Endpoint."
News URL
Related news
- Microsoft shares more details on Windows 11 admin protection (source)
- Microsoft launches Zero Day Quest hacking event with $4 million in rewards (source)
- Microsoft now testing hotpatch on Windows 11 24H2 and Windows 365 (source)
- Microsoft plans to boot security vendors out of the Windows kernel (source)
- Microsoft announces new and improved Windows 11 security features (source)
- Microsoft announces Zero Day Quest hacking event with big rewards (source)
- Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity (source)
- Microsoft confirms game audio issues on Windows 11 24H2 PCs (source)
- Microsoft pulls WinAppSDK update breaking Windows 10 app uninstalls (source)
- Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-07-14 | CVE-2021-33771 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products Windows Kernel Elevation of Privilege Vulnerability | 0.0 |
| 2021-07-14 | CVE-2021-31979 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products Windows Kernel Elevation of Privilege Vulnerability | 0.0 |