The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) on Wednesday claimed that they found an Austrian-based private-sector offensive actor (PSOA) exploiting multiple Windows and Adobe 0-day exploits in “limited and targeted attacks” against European and Central American customers.

For the unversed, PSOAs are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices.

The Austrian-based PSOA named DSIRF, which Microsoft had dubbed Knotweed, has been linked to the development and attempted sale of a malware toolset called “Subzero”.

DSIRF promotes itself on the website as a company that provides “mission-tailored services in the fields of information research, forensics as well as data-driven intelligence to multinational corporations in the technology, retail, energy, and financial sectors” and have “a set of highly sophisticated techniques in gathering and analyzing information.”

The Redmond giant said the Austria-based DSIRF falls into a group of cyber mercenaries that sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire.

MSTIC found that the Subzero malware was being circulated on computers through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in the years, 2021 and 2022.

As part of its investigation into the utility of this malware, Microsoft’s communications with a Subzero victim revealed that they had not authorized any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity.

“Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. It’s important to note that the identification of targets in a country doesn’t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common,” Microsoft wrote in a detailed blog post.

“MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.”

In May 2022, Microsoft detected an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero.

“The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit,” the company explained.

Based on DSIRF’s extensive use of additional zero-days, Microsoft believes that the Adobe Reader RCE was indeed a zero-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047 in the Windows Client/Server Runtime Subsystem (csrss.exe).

The Austrian company’s exploits are also being linked to previous two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021.

In 2021, the cyber mercenary group was also linked to the exploitation of a fourth zero-day, a Windows privilege escalation flaw in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to load an arbitrary signed DLL.

To mitigate against such attacks, Microsoft has recommended its customers to:

  • Prioritize patching of CVE-2022-22047.
  • Confirm that Microsoft Defender Antivirus is updated to security intelligence update 1.371.503.0 or later to detect the related indicators.
  • Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
  • Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on.
  • Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.
  • Review all authentication activity for remote access infrastructure, focusing on accounts configured with single-factor authentication, to confirm the authenticity and investigate any abnormal activity.

Besides using technical means to disrupt Knotweed, Microsoft has also submitted written testimony to the House Permanent Select Committee on Intelligence Hearing on “Combatting the Threats to U.S. National Security from the Proliferation of Foreign Commercial Spyware.”