free counter

Austrian data firm accused of selling malware, conducting cyber attacks

Microsoft has accused DSIRF, an Austrian data services firm, of involvement in a string of cyber attacks

Alex Scroxton


Published: 29 Jul 2022 11: 33

Microsoft threat researchers have accused an Austrian company called DSIRF of exploiting multiple zero-day exploits in Windows and Adobe to deploy a malware called Subzero against targets in Europe like the UK and central America.

Vienna-headquartered DSIRF described itself as providing mission-tailored services in information research, forensics and data-driven intelligence to multinational clients in the power, financial services, retail and technology sectors. On the list of services it provides are homework and risk analysis because of its clients critical assets, including red team penetration testing services.

But Redmonds Threat Intelligence Centre (MSTIC) described DSIRF as an exclusive sector offensive actor or PSOA, and said it took benefit of CVE-2022-22047, a zero-day in the Windows Client Server Runtime Process (CSRSS) that was patched in the July 2022 Patch Tuesday update.

In addition, it accused DSIRF of experiencing previously exploited two Windows privilege escalation exploits and an Adobe Reader exploit, which were patched this past year, and a privilege escalation vulnerability in the Windows Update Medic Service.

MSTIC said that PSOAs such as for example DSIRF, which it really is now tracking as Knotweed in its threat actor matrix, makes its living by selling either full end-to-end hacking tools to the purchaser much like how disgraced Israeli spyware firm NSO operates or by running offensive hacking operations itself.

In Knotweeds case, said MSTIC, the PSOA may blend both these models. They sell the Subzero malware to third parties but are also observed using Knotweed-associated infrastructure in a few attacks, suggesting more direct involvement, the team wrote.

MSTIC said it had found multiple links between DSIRF and Knotweeds attacks that suggest they’re one and exactly the same. For instance, the threat actor has been observed using DSIRF-linked command and control (C2) infrastructure occasionally, in addition to a DSIRF-associated GitHub account and a code signing certificate that has been issued to DSIRF.

All this shows that DSIRF has already established direct involvement in cyber attacks, MSTIC alleged.

MSTIC said it had found proof Subzero being deployed against lawyers, banks and consultancies in a number of countries in the last 2 yrs, and throughout its communications with one victim, learned that it hadn’t commissioned DSIRF to conduct any type of red team or penetration testing, and that the intrusion was malicious.

Whether it hails from DSIRF or not, there are a variety of actions that defenders may take to safeguard themselves against Knotweed and Subzero.

As an initial step, defenders must prioritise patching of CVE-2022-22047 should they haven’t already done so, and concur that Microsoft Defender Antivirus is updated to at least one 1.371.503.0 or later to detect related indicators which are available to learn in MSTICs disclosure notice.

They are able to also usefully check their Excel macro security settings to regulate what macros run where circumstances, as Subzero has been recognized to arrive in the proper execution of a malicious Excel file, enable multifactor authentication which organisations ought to be doing as a matter needless to say and review authentication activity for remote access infrastructure.

Computer Weeklys sister title SearchSecurity contacted DSIRF, however the organisation didn’t react to requests for comment.

Microsofts disclosure coincides with written testimony by Cristin Flynn Goodwin, its general manager and associate general counsel, to the united states governments House Permanent Select Committee on Intelligence, that is investigating security threats posed by commercial malware operations such as for example NSO and, allegedly, now DSIRF.

Over about ten years ago, we began to see companies in the private sector transfer to this sophisticated surveillance space as autocratic nations and smaller governments sought the capabilities of these larger and better-resourced counterparts, said Goodwin.

In some instances, companies were building capabilities for governments to utilize in keeping with the rule of law and democratic values. However in other cases, companies began building and selling surveillance as something to governments lacking the capabilities to create these technically complex tools, including to authoritarian governments or governments acting inconsistently with the rule of law and human rights norms.

We see private sector companies pursuing acquisition of newly discovered and privately developed vulnerabilities (zero-day vulnerabilities) and using those to build up unique capabilities to get usage of systems without user consent. These businesses then either sell these exploits or provide related exploit and surveillance services to governments or potentially offer these services to companies for the intended purpose of industrial espionage.

Once new vulnerabilities are exploited or capabilities to get usage of systems without user consent are developed, other actors can easily repeat the exercise.

Goodwin said Microsoft had long advocated for clear legal and normative regimes to modify such technology to prohibit human rights abuses while enabling legitimate security research.

Cyber espionage not merely erodes the rights of the targeted individual, but it addittionally frequently places the security of the web ecosystem at an increased risk, she said.

The commercial spyware industry is continuing to grow into a business estimated at over $12bn in value and can likely increase. Cyber security researchers, NGOs, journalists and companies have uncovered disturbing and sometimes tragic abuses of technology, like the targeting of dissidents, journalists, human rights lawyers and workers, politicians, and also family of targets including children.

We welcome Congresss concentrate on the risks and abuses the planet faces from the unscrupulous usage of surveillance technologies.

Read more on Hackers and cybercrime prevention

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker