Microsoft allegations confront DSIRF with distributing spyware under the Subzero name. State security is now investigating in this regard.
According to a Microsoft blog post published on Wednesday, the Austrian company DSIRF, based in Vienna, would Zero -Day exploits to compromise a number of organizations in Europe and Central America. The Subzero spyware used for this is said to be able to access confidential information such as passwords or login information. As a result, Microsoft accuses the manufacturer of state Trojans of being involved in attacks on law firms, banks and management consultants in Great Britain, Austria and Panama. The state security has now turned on to investigate the allegations. This was reported by the online magazine Futurzone.
Members of the Microsoft Threat Intelligence Center (MSTIC) noted that subzero malware infections were spread through a variety of methods, including exploiting the then zero-days of Windows and Adobe Reader. This assumes that the attackers knew about the vulnerabilities beforehand.
Microsoft threw DSIRF specifically intends to act as a PSOA. PSOA stands for Private State Offensive Actor. This includes privately organized companies that develop and sell cyber weapons in the form of hacking-as-a-service packages for state clients, providing malware for their activities.
According to its website, DSIRF provides penetration testing, as well as “contract-related information retrieval, forensics, and human intelligence (HUMINT) and open source intelligence (OSINT) services to multinational companies in technology, retail, energy and finance”.
Subzero malware uses zero-day exploits
According to Microsoft, DSIRF is a threat actor that performs “limited and targeted attacks” against companies running Windows and Adobe Zero-day vulnerabilities and malware known as “Subzero”. One of the zero days is CVE-2022-22047, a vulnerability affecting the Windows Client Server Runtime subsystem that was fixed as part of this month’s Patchday. Microsoft is pursuing DSIRF under the name “KNOTWEED”.
PSOAs, according to the tech giant, are “Cyber Mercenaries” who sell hacking tools or services as part of their business model. Often, these organizations either provide access through end-to-end hacking tools, or the PSOA conducts the offensive hacking operations itself. A prominent example of a PSOA is the notorious Israeli spyware provider NSO Group.
DSIRF relies on a combination of two models
“Based on observed attacks and news reports, MSTIC believes KNOTWEED may mix these models. On the one hand, they sell the Subzero malware to third parties. On the other hand, it has also been observed in some attacks. These used KNOTWEED-associated infrastructure, suggesting a more direct involvement”, according to Microsoft’s blog post.
The Microsoft Threat Intelligence Center (MSTIC) tracked the Subzero activities between 2021 and 2022. It found at least one case where a Subzero victim “did not commission red teaming or penetration testing and confirmed that it was unauthorized, malicious activity”.
Microsoft stated that there were “multiple connections” between DSIRF and the zero-day exploits and the Subzero malware:
“This includes the command and control infrastructure that uses the malware and is directly connected to DSIRF, a DSIRF-associated GitHub account associated with an attack. Also a code signing certificate issued to DSIRF used to sign an exploit. Also other open source news reports attributing Subzero DSIRF.”
To Futurezone, the DSIRF management pointed out that they Subzero “exclusively for official use in EU countries”. In the statement, the company stressed that “It is not offered, sold or made available for use commercially”. One resists “with all determination against the impression of having misused Subzero software”.
For clarification I have that company commissioned an independent expert. This should examine the questions raised by the Microsoft security team. “Furthermore, DSIRF has initiated an internal investigation into Subzero-related operations”.
As Futurzone further informed, so stated the Ministry of the Interior on Friday at the request of the APA:
” the Directorate of State Security and Intelligence Service (DSN) check the allegations, but so far there is no evidence of the use of spyware from the company”.