The Challenge: Spyware from Candiru was used to impersonate sites from well-known advocacy organizations to target activists and human rights workers. Citizen Lab, a research institute at the University of Toronto, used Censys data to understand impersonated sites, passing the details forward to Microsoft Threat Intelligence Center (MSTIC) to find exploits.
What Citizen Lab achieved with help from Censys
1.) Citizen Lab mapped Candiru’s C2 infrastructure
Citizen Lab identified a certificate for candirusecurity.com, which allowed them to identify IP addresses historically associated with Candiru, and ultimately develop a fingerprint to find the websites that Candiru was attempting to impersonate.
2.) Microsoft Threat Intelligence Center (MSTIC) identified two privilege escalation vulnerabilities
Citizen Lab shared a signature that allowed Microsoft to identify two previously undisclosed privilege escalation vulnerabilities exploited by Candiru malware: CVE-2021-31979 and CVE-2021- 33771, as well as identify more than 100 other human rights defenders, journalists, activists, and politicians who were targeted by Candiru’s spyware.
Citizen Lab launches an investigation into Candiru
Citizen Lab focuses on research, policy, and advocacy at the intersection of human rights and information technology. A unique aspect of their mission is investigating technical practices used to target activists and journalists. Bill Marczak, a Senior Research Fellow at Citizen Lab, along with other researchers, have uncovered and unraveled numerous attacks using Censys, including the first-ever iPhone zero-day remote jailbreak seen in the wild. Most recently, Citizen Lab investigated Candiru. Alongside other researchers at Citizen Lab, Bill decided to pursue a formal investigation, publishing a detailed report on the company’s practices that was picked up by The New York Times and other news organizations.
What exactly is Candiru?
Candiru is a private sector offensive actor known for selling malware to governments. Their core product offering is spyware that can be installed through a number of infection vectors on a target’s Apple, Windows, or Android device. Candiru claims that their products are “untraceable,” which makes finding domains, certificates, and other C&C infrastructure affiliated with their software especially challenging. In recent years, Candiru spyware has attracted international attention due to its active use in targeting human rights defenders, journalists, and political activists.
Citizen Lab’s threat hunting goal
Citizen Lab used the Censys Universal Internet DataSet that details IPv4 hosts and services, as well as Censys’ certificate dataset, to map Candiru’s command and control (C&C) infrastructure and to understand the websites that Candiru’s spyware has been used to target. This ultimately allowed them to uncover that Candiru was actively targeting members of civil society, academia, and the media.
“We were curious about mapping out command and control infrastructure — IPs, domains, certificates — with the ultimate goal of understanding Candiru’s global footprint.” – Bill Marczak, Senior Research Fellow, Citizen Lab
How Censys Data and Search was used to understand the impact of Candiru
What certificates are affiliated with the candirusecurity[.]com domain name?
Citizen Lab found a self-signed certificate on Censys Search that was associated with Candiru. Their team knew to search for a specific domain: “candirusecurity[.]com” because they had found a 2015 corporate registration filing associated with Candiru. The registration included an email with the same domain: “amitn@candirusecurity[.]com.” This certificate finding was significant because it allowed the team to pivot to and uncover other attacker infrastructure using the historical Censys IPv4 dataset.
Which IPs were serving the certificate and what did that indicate about the targets, their geographies, and Candiru’s methods?
Citizen Lab queried the Censys IPv4 dataset to locate the IP addresses that were serving the certificate and potentially affiliated with Candiru. The team iterated between IPv4 hosts and certificates, ultimately surfacing certificates for over 750 websites that Candiru spyware infrastructure was impersonating. These included sites belonging to well-known advocacy organizations like amnestyreports[.]com and activist organizations like blacklivesmatters[.]info. Other less well-known sites were country specific and linked to Saudi Arabia, Russia, and Armenia. These provided hints to where targets could be located and methods currently used to entrap them.
Citizen Lab was also able to find an IP address via Censys that belonged to a victim of the spyware. Citizen Lab’s Bill Marczak stated, “Censys data was a critical part of the investigation because it helped us find the victim and recover the spyware sample.”
Through this research, Citizen Lab was able to pass on samples to Microsoft that allowed the Microsoft Threat Intelligence Center (MSTIC) to pivot off these IoCs and find the exploits: CVE-2021-31979 and CVE2021-33771, as well as 100 victims of spyware in many countries.
Why did Citizen Lab choose Censys?
“Censys structures Internet data in a way that’s easy to understand and query. Without regular expression queries and the ability to query specific fields, we wouldn’t have been able to develop or search for other hosts that matched our signature.” – Bill Marczak, Senior Research Fellow, Citizen Lab
- BigQuery, Search, and Raw Data Access
Censys provides access to hundreds of terabytes of historical Internet scan data through an online search interface, high-speed lookup API, Google BigQuery datasets, and raw data downloads.
- Scalable, Differentiated Data on Hosts and Certificates
Censys has the broadest coverage of both IPv4 hosts and certificates. Censys offers a dataset of 9.5 billion parsed and browser-validated X.509 certificates in addition to detailed records about IPv4 hosts and their service configuration going back 6+ years.
Censys provides the freshest data through continuously scanning the top 3,500 ports on the full IPv4 address space and scanning the top 138 ports daily.
Check out the full case study for a visual of how Citizen Lab mapped Candiru’s command and control infrastructure.
View Case Study
