Spyware maker Candiru exploited Google Chrome zero-day to target journalists

Spyware maker Candiru exploited Google Chrome zero-day to target journalists

Image:
Spyware maker Candiru exploited Google Chrome zero-day to target journalists

The vulnerability has already been patched by Google

A zero-day vulnerability in Google Chrome that was patched earlier this month was exploited by an Israeli spyware firm in attacks targeting journalists in the Middle East.

In a report published on Thursday, Czech cybersecurity firm Avast claimed that the zero-day was exploited by Candiru, a Tel Aviv-based firm that is also known as Saito Tech which offers powerful spyware to government customers.

Candiru has a history of exploiting previously unknown bugs to deploy Windows malware known as DevilsTongue, which is a modular implant with capabilities similar to those of NSO Pegasus.

Researchers working for Avast identified the Chrome vulnerability while looking into spyware attacks on the company's customers.

Avast contacted Google, which acknowledged the issue, assigned it CVE-2022-2294, and fixed it in Chrome version 103.0.5060.114.

Since then, Apple and Microsoft have patched the same vulnerability in their Safari and Edge web browsers.

CVE-2022-2294 is described as a high-severity heap-based buffer overflow in WebRTC, which, if successfully exploited, may result in code execution on the victim device.

When Google released the fix for the bug on July 4th, it said the weakness was being actively exploited, but did not share any other information.

Avast claims that Candiru started abusing CVE-2022-2294 in March 2022, targeting victims in Lebanon, Yemen, Turkey and Palestine.

In Lebanon, the attackers gained access to a website that was used by employees of a news agency. While it is unclear what the attackers may have been after, threat actors often target journalists in order to directly spy on them, the news stories they're working on, or to gain access to their sources in order to collect sensitive information they would share with the media.

According to Avast, attackers injected malicious JavaScript code into the infected website, enabling cross-site scripting (XXS) attacks and redirecting valid targets to the exploit server. Through this watering hole attack, they were able to create a profile of the victim's browser.

This profile consisted of approximately 50 data points including information such as the victim's native language, time zone, device type, screen information, referrer, browser plugins and device memory, among other things.

The information was acquired to ensure that the exploit was only being sent to the intended targets.

If they determined that the target was the intended target, an encrypted data exchange was established so that the zero-day exploit could be sent to victim's machine.

In the Lebanon case, the zero-day vulnerability enabled the attackers to execute shellcode within a renderer process. They then chained the weakness with a sandbox escape attack to get an initial foothold and use it to deploy the DevilsTongue payload.

DevilsTongue malware further used a BYOVD (bring your own vulnerable driver) step to raise its privileges and gain read/write access to the memory of the affected device.

The researchers claim that the sophisticated malware is capable of keylogging, exfiltrating messages, browser histories, passwords, geolocation, and much more. It can even record using the victim's camera and microphone.

Zero-day exploits developed by Candiru were the subject of reports from Microsoft, Citizen Lab and Google last year.

The attacks targeted Chrome, Internet Explorer, Safari, as well as Windows, macOS, iOS, and Android devices.

According to a Citizen Lab report from April this year, surveillance tools created by Candiru and the Israeli surveillance firm NSO Group were also used in Spain.

Candiru and NSO Group were both blacklisted by the US last year.