Zero-day bug attack: Google and Microsoft have released a patch to two critical vulnerabilities in their operating systems that were exploited by a spyware that has reportedly been sold to governments by Israeli developer Candiru.

In its report that was released earlier this week, Citizen Labs has said that Candiru’s spyware (called DevilsTongue by Microsoft) can infect and monitor iPhones, Android smartphones, Macs, PCs and even cloud accounts. Microsoft is calling Candiru Sourgum.

Microsoft in a blog post said that the spyware was being used in precision attacks targeting more than 100 victims including politicians, human rights activists, journalists, academics, embassy workers and political dissidents in countries around the world including around the world including Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore.

What is DevilsTongue and what does it do?

DevilsTongue is a spyware tool developed by a Tel Aviv, Israel-based company called Candiru. As Citizen Labs explains it, Candiru is a ‘mercenary’ spyware firm that markets ‘untraceable’ spyware to government customers. Their product offering includes solutions for spying on computers, mobile devices, and cloud accounts.

“The €16 million project proposal allows for an unlimited number of spyware infection attempts, but the monitoring of only 10 devices simultaneously. For an additional €1.5M, the customer can purchase the ability to monitor 15 additional devices simultaneously, and to infect devices in a single additional country. For an additional €5.5M, the customer can monitor 25 additional devices simultaneously, and conduct espionage in five more countries,” Citizen Labs wrote in its report.

Once the spyware has infected a Windows PC, it exfiltrates files, exporting all messages saved in the Windows version of the popular encrypted messaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers.

Microsoft’s analysis has also shown that the spyware can also send messages from logged-in email and social media accounts directly on the victim’s computer. This could allow malicious links or other messages to be sent directly from a compromised user’s computer.

What is Microsoft doing?

To tackle this spyware, Microsoft has released a security patch for two zero-day bug vulnerabilities – CVE-2021-31979 and CVE-2021-33771. These vulnerabilities were patched in a security update released on July 13, 2021.

“To limit these attacks, we focused on two actions. First, we built protections into our products against the unique malware Sourgum created, and we shared those protections with the security community. Second, we issued a software update that will protect Windows customers from exploits Sourgum was using to help deliver its malware,” Microsoft said in a post.

“We’ve built protections against DevilsTongue into our security products, and we’ve shared these protections with others in the security community so they can protect their customers,” the company added.

What is Google saying?

Google in a separate report by its Threat Analysis Group or TAG discovered a bunch of zero-day bug vulnerabilities in Chrome and Internet Explorer that were being used by the same company. The company found vulnerabilities CVE-2021-21166 and CVE-2021-30551 in Chrome, CVE-2021-33742 in Internet Explorer and CVE-2021-1879 in Safari WebKit. Thankfully, all the three companies – Apple, Google and Microsoft – have released security updates to patch these bugs.

What should I do now?

If you haven’t updated your devices – laptops, PCs, tablets and smartphones — now would be a good time to do so. Download the latest version of the security updates available on your devices and you are good to go. – The Hindustan Times, New Delhi/Tribune News Service