informa
2 min read
Quick Hits

Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware

Microsoft flagged the company's Subzero tool set as on offer to unscrupulous governments and shady business interests.

A cyber-weapons broker dubbed Knotweed has been outed, with Microsoft flagging it as being behind numerous spyware attacks on law firms, banks, and strategic consultancies in countries around the world.

To boot, Knotweed has made a habit of incorporating rafts of Windows and Adobe zero-day exploits into its spyware since at least 2021, according to Microsoft.

Knotweed falls into a murky category of so-called "private sector offensive actors" (PSOAs, aka commercial spyware vendors) that hawk their wares to unscrupulous governments and business interests. These ultrasophisticated (and expensive) tools are often used against dissidents, journalists, and other members of civil society, but they've been known to enable straightforward corporate espionage too.

In the Shadows

The breed is best exemplified by the infamous NSO Group and Pegasus mobile spyware, but many others lurk in the shadows, Microsoft warned.

One such is Knotweed, which is an alias for an Austrian outfit called DSIRF. It's a company that, as Microsoft explained in a post on Wednesday, "ostensibly sells general security and information analysis services to commercial customers." But that's only part of the story, according to the computing giant.

"DSIRF has been linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure and internet-connected devices," according to the analysis.

The aforementioned Microsoft and Adobe bugs in the tool set (detailed in a technical breakdown) have been seen in recent cyberattacks against targets in Austria, Panama, and the United Kingdom. In addition to publishing software updates to plug the holes on a regular basis, Microsoft has also published a Subzero malware signature for defense.

More action is needed on a broader level, given that DSIRF will not be the last PSOA to come to light, as Microsoft researchers explained in a brief sent to Congress on Wednesday.

"We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms," according to the brief (PDF). "We welcome Congress's focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world."