Microsoft threat researchers have accused an Austrian company called DSIRF of exploiting multiple zero-day exploits in Windows and Adobe to deploy a malware called Subzero against targets in Europe – including the UK – and central America.
Vienna-headquartered DSIRF described itself as providing “mission-tailored” services in information research, forensics and data-driven intelligence to multinational clients in the energy, financial services, retail and technology sectors. Among the services it offers are due diligence and risk analysis for its clients’ critical assets, including red team penetration testing services.
But Redmond’s Threat Intelligence Centre (MSTIC) described DSIRF as a “private sector offensive actor” or PSOA, and said it took advantage of CVE-2022-22047, a zero-day in the Windows Client Server Runtime Process (CSRSS) which was patched in the July 2022 Patch Tuesday update.
It also accused DSIRF of having previously exploited two Windows privilege escalation exploits and an Adobe Reader exploit, all of which were patched last year, and a privilege escalation vulnerability in the Windows Update Medic Service.
MSTIC said that PSOAs such as DSIRF, which it is now tracking as Knotweed in its threat actor matrix, makes its living by selling either full end-to-end hacking tools to the purchaser – similar to how disgraced Israeli spyware firm NSO operates – or by running offensive hacking operations itself.
In Knotweed’s case, said MSTIC, the PSOA may blend both of these models. “They sell the Subzero malware to third parties but have also been observed using Knotweed-associated infrastructure in some attacks, suggesting more direct involvement,” the team wrote.
MSTIC said it had found multiple links between DSIRF and Knotweed’s attacks that suggest they are one and the same. For example, the threat actor has been observed using DSIRF-linked command and control (C2) infrastructure in some instances, as well as a DSIRF-associated GitHub account and a code signing certificate that was issued to DSIRF.
All of this suggests that DSIRF has had direct involvement in cyber attacks, MSTIC alleged.
MSTIC said it had found evidence of Subzero being deployed against law firms, banks and consultancies in several countries over the past two years, and in the course of its communications with one victim, learned that it had not commissioned DSIRF to conduct any kind of red team or penetration testing, and that the intrusion was malicious.
Whether it emanates from DSIRF or not, there are a number of actions that defenders can take to protect themselves against Knotweed and Subzero.
As a first step, defenders must prioritise patching of CVE-2022-22047 if they have not already done so, and confirm that Microsoft Defender Antivirus is updated to 1.371.503.0 or later to detect related indicators – all of which are available to read in MSTIC’s disclosure notice.
They can also usefully check their Excel macro security settings to control what macros run in which circumstances, as Subzero has been known to arrive in the form of a malicious Excel file, enable multifactor authentication – which organisations should be doing as a matter of course – and review authentication activity for remote access infrastructure.
Computer Weekly’s sister title SearchSecurity contacted DSIRF, but the organisation did not respond to requests for comment.
Microsoft’s disclosure coincides with written testimony by Cristin Flynn Goodwin, its general manager and associate general counsel, to the US government’s House Permanent Select Committee on Intelligence, which is investigating security threats posed by commercial malware operations such as NSO and, allegedly, now DSIRF.
“Over a decade ago, we started to see companies in the private sector move into this sophisticated surveillance space as autocratic nations and smaller governments sought the capabilities of their larger and better-resourced counterparts,” said Goodwin.
“In some cases, companies were building capabilities for governments to use consistent with the rule of law and democratic values. But in other cases, companies began building and selling surveillance as a service to governments lacking the capabilities to build these technically complex tools, including to authoritarian governments or governments acting inconsistently with the rule of law and human rights norms.
“We see private sector companies pursuing acquisition of newly discovered and privately developed vulnerabilities (zero-day vulnerabilities) and then using those to develop unique capabilities to gain access to systems without user consent. These companies then either sell these exploits or provide related exploit and surveillance services to governments or potentially offer these services to companies for the purpose of industrial espionage.
“Once new vulnerabilities are exploited or capabilities to gain access to systems without user consent are developed, other actors can quickly repeat the exercise.”
Goodwin said Microsoft had long advocated for “clear legal and normative regimes” to regulate such technology to prohibit human rights abuses while enabling legitimate security research.
“Cyber espionage not only erodes the rights of the targeted individual, but it also frequently places the security of the online ecosystem at risk,” she said.
“The commercial spyware industry has grown into an industry estimated at over $12bn in value and will likely increase. Cyber security researchers, NGOs, journalists and companies have uncovered disturbing and sometimes tragic abuses of technology, including the targeting of dissidents, journalists, human rights lawyers and workers, politicians, and even family members of targets – including children.
“We welcome Congress’s focus on the risks and abuses the world faces from the unscrupulous use of surveillance technologies.”