0-days sold by Austrian company used to hack Windows users, Microsoft says

Zoom Getty Images

Microsoft said on Wednesday that an Austrian company named DSIRF used several Windows Zero Days and Adobe Reader to hack into organizations located in Europe and Central America.

Several news outlets have published articles like this, which cite marketing materials and other evidence linking DSIRF to Subzero, a malicious toolset for "automated exfiltration of sensitive/private data" and "tailored access operations [including] threat identification, tracking and infiltration."

Members of the Microsoft Threat Intelligence Center, or MSTIC, say they have discovered that Subzero malware infections are spread through a variety of methods, including exploiting what was then Windows zero-days and Adobe Reader, which means the attackers were aware of the vulnerabilities before Microsoft and Adobe. Targets of attacks seen to date include law firms, banks and strategy consulting firms in countries like Austria, the UK and Panama, although these are not necessarily the countries in which resided the DSIRF customers who paid for the attack.

“MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks,” the Microsoft researchers wrote. “These include the command and control infrastructure used by the malware directly linked to DSIRF, a GitHub account associated with DSIRF used in an attack, a code signing certificate issued to DSIRF used to sign an exploit and other open source reporting attributing Subzero to DSIRF.”

Microsoft

An email sent to DSIRF requesting comment was not returned.

Wednesday's publication is the latest to tackle the scourge of mercenary spyware sold by private companies. Israel-based NSO Group is the best-known example of a for-profit company selling expensive exploits that often compromise devices belonging to journalists, lawyers and activists. Another Israel-based mercenary named Candiru was introduced by Microsoft and the University of Toronto's Citizen Lab last year and was recently caught orchestrating phishing campaigns on behalf of clients who could circumvent the two-factor authentication.

Also Wednesday, the U.S. House of Representatives Standing Select Committee on Intelligence held a hearing on the proliferation of foreign commercial spyware. One of the speakers was the daughter of a former hotel manager in Rwanda who was imprisoned after saving hundreds of lives and speaking out about the genocide that had taken place. She recounted the experience of having her phone hacked with NSO spyware the same day she met the Belgian Foreign Minister.

Referring to DSIRF using KNOTWEED work, Microsoft researchers wrote:

In May 2022, MSTIC discovered an Adobe Reader remote code execution (RCE) and 0-day Windows privilege escalation exploit chain used in an attack that led to the deployment of Subzero. The exploits were bundled into a PDF document that was emailed to the victim. Microsoft was unable to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim's version of Adobe Reader was released in January 2022, meaning the exploit used was either a one-day exploit developed between January and May or a 0-day exploit. Based on KNOTWEED's extensive use of other 0-days, we rate Adobe Reader RCE with medium confidence as a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed...