Microsoft recently discovered a private sector spyware group named DSIRF.
Microsoft's Security Response Center (MSRC) and the Microsoft Threat Intelligence Center (MSTIC) discovered an Austrian spyware group masking itself as a private company, DSIRF.
To execute an attack on its targets, this private-sector actor has been reported to use numerous zero-day exploits of Windows and Adobe, as well as the recently patched vulnerability, CVE-2022-2204.
They then developed the malware called Subzero, launching most of its attacks on Central American and European customers. Microsoft tracks this private sector actor as KNOTWEED.
Microsoft KNOTWEED
Microsoft discovered that KNOTWEED, on its DSIRF website, claims that it uses advanced methodologies for acquiring and analyzing information to provide services to companies in the financial, retail, technology, and energy sectors.
The attack hit banks, law firms, and strategic consultants in a number of countries, including Austria, the United Kingdom, and Panama, according to The Verge.
They market themselves publicly as a company that provides a number of services, such as improved due diligence and risk assessment procedures.
This is accomplished by providing a comprehensive understanding of individuals and organizations. Additionally, they make available highly sophisticated "Red Teams" to test their customers' most important assets.
However, despite the public persona, DSIRF has been linked in numerous news articles to creating a malware toolset called Subzero, as well as an attempt to sell this toolset.
In 2021 and 2022, Microsoft's threat intelligence team discovered that the Subzero malware was being distributed using a variety of techniques, including zero-day exploits in Windows and Adobe Reader.
Microsoft's conversations with one of the Subzero victims during their investigation showed that the company had not hired any red teams or done any penetration testing. They also admitted that the behavior was illegal and malicious.
Multiple connections have been discovered by MSTIC between DSIRF and the exploits and malware that were utilized in these assaults.
According to Microsoft, "these include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack; a code signing certificate issued to DSIRF being used to sign an exploit; and other open-source news reports attributing Subzero to DSIRF."
Read Also: Top 5 Best Microsoft Windows Laptop for 2022
Microsoft's Recommendation To Prevent Attacks
From their investigation, Microsoft published a blog detailing a lot of information about KNOTWEED. As part of the investigation, here are some of the security measures that the tech giant recommends to users.
Microsoft recommends users patch the CVE-2022-22047 vulnerability to prevent possible attacks from KNOTWEED.
Use the following signs of compromise to find out if they are present in a user's environment and to figure out how likely an intrusion is.
Make sure that Microsoft Defender Antivirus has security intelligence update 1.371.503.0 or later so that it can find the right signs.
Change the Excel macro security settings to control which macros operate when a user opens a workbook and under what conditions. According to Microsoft, "By turning on Antimalware Scan Interface (AMSI) runtime macro scanning, customers can also stop malicious XLM or VBA macros."
Review all authentication activity for remote access infrastructure, with a focus on accounts set up with single-factor authentication, to make sure it's real and look for any strange behavior.
Enable multi-factor authentication (MFA) to protect credentials that could be stolen and to make sure that all remote connections require MFA.
Related Article: How To Change Your Microsoft Windows 11 Default Browser