On July 15th, 2021 Citizen Lab released an article claiming that Candiru, an Israel-based company, sells spyware to governments that reportedly can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts. Microsoft is calling the threat actor SOURGRUM. More than 750 websites were linked to Candiru’s spyware infrastructure that Microsoft is calling DevilsTongue. Two privilege escalation vulnerabilities affecting Microsoft Windows, CVE-2021-31979 and CVE-2021-33771, were exploited by Candiru. Microsoft patched both vulnerabilities on July 13th, 2021.
DevilsTongue also exploited CVE-2021-21166 and CVE-2021-30551 in Chrome, and CVE-2021-33742 in Internet Explorer. These vulnerabilities were said to be patched in a post from Google’s Threat Analysis Group on July 14th, 2021. Google also released details about an unrelated remote-code execution flaw in Safari’s WebKit engine following the detection of these vulnerabilities.
At least 100 victims including human rights defenders, dissidents, journalists, activists, and politicians were targeted in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims were lured to websites that analyzed their screen resolution, timezone, supported languages, browser plugins, and available MIME types to decide whether or not to compromise their browser.