Microsoft catches spyware group targetting customers in Europe, Central America
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) have caught an Austrian company targetting attacks against European and Central American customers.
In a blog post, Microsoft identified a private-sector offensive actor (PSOA) named DSIRF and codenamed KNOTWEED for developing spyware called ‘Subzero’ to target customers in Europe and Central America.
“The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047, in limited and targeted attacks against European and Central American customers. The PSOA, which MSTIC tracks as KNOTWEED, developed malware called Subzero, which was used in these attacks,” Microsoft wrote in a blog post.
The tech giants noted that the “cyber mercenaries” sell complete end-to-end hacking tools to third parties and run targetted operations.
“Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement,” Microsoft mentioned.
Even though Microsoft continues to monitor the activities of KNOTWEED, the Windows maker is urging users to deploy the July 2022 Microsoft security updates.
“Customers are encouraged to expedite deployment of the July 2022 Microsoft security updates to protect their systems against exploits using CVE-2022-22047. Microsoft Defender Antivirus and Microsoft Defender for Endpoint have also implemented detections against KNOTWEED’s malware and tools,” it said.
Earlier this year, Microsoft confirmed it was hacked by the extortion group Lapsus$, which gained “limited access” to its systems.