Microsoft"s war against private companies which sell cyberweapons is nothing new. Last year, the company coordinated with Cisco, GitHub, Google, VMWare, and more to file an amicus brief against NSO Group, which is known for its flagship Pegasus program used to hack WhatsApp. Today, the Redmond tech giant has reiterated that it is cracking down on private businesses which sell cyberweapons following the discovery of a new malware, allegedly developed by an Israel-based firm.
Microsoft says that the threat from malicious private companies is quite major, and yet another evidence of this is the "DevilsTongue" malware that it has recently observed to be targeting over 100 politicians, journalists, and activists around the globe, with almost half the victims residing in Palestine. The firm believes that this software was developed by an Israeli group that it has codenamed "Sourgum". Microsoft"s partner in this investigation, Citizen Lab, has attributed the activity to the Israeli company Candiru with high confidence. Sourgum typically sells its malicious software to customers who then use it to orchestrate cyberattacks.
Successful DevilsTongue infiltration leads to elevation of privilege on PCs. Microsoft says that the malware was distributed using 0-day exploits present on Windows as well as one-time-use URLs sent via WhatsApp messages. Although Microsoft has fixed the security holes in Windows in its Patch Tuesday updates earlier this week, you can head over to the dedicated guidance here to determine the nature of the complex attack, Indicators of Compromise (IoCs), and how to protect yourself.
Microsoft went on to say that:
These attacks have largely targeted consumer accounts, indicating Sourgum’s customers were pursuing particular individuals. The protections we issued this week will prevent Sourgum’s tools from working on computers that are already infected and prevent new infections on updated computers and those running Microsoft Defender Antivirus as well as those using Microsoft Defender for Endpoint.
This is part of broader legal, technical and advocacy work we’re undertaking to address the dangers caused when PSOAs build and sell weapons.
Moving forward, Microsoft says that it will continue to monitor and identify private-state offensive actors (PSOAs). The company has highlighted the development and selling of cyberweapons from private companies as a dangerous trend that needs to be nipped from the bud as soon as possible.