Chrome Zero Day was used to infect journalists with Candiru spyware – BleepingComputer | Hot Mobile Press

Israeli spyware vendor Candiru was found to have exploited a zero-day vulnerability in Google Chrome to spy on journalists and other high profile figures in the Middle East using DevilsTongue spyware.

The bug traced as CVE-2022-2294 is a high-severity heap-based buffer overflow in WebRTC that, if successfully exploited, can lead to code execution on the target device.

When Google patched the zero-day on July 4th, it announced that the flaw was actively being exploited, but didn’t provide any further details.

In a report released today, Avast’s threat researchers, who discovered the vulnerability and reported it to Google, reveal that they discovered it after investigating spyware attacks on their clients.

Multiple campaigns and delivery methods

According to Avast, Candiru began exploiting CVE-2022-2294 in March 2022, targeting users in Lebanon, Turkey, Yemen, and Palestine.

The spyware operators employed common waterhole attack tactics, compromising a website their targets visit and exploiting an unknown vulnerability in the browser to infect it with spyware.

This attack is particularly nasty because it doesn’t require any interaction with the victim, such as: B. clicking on a link or downloading something. Instead, all they have to do is open the website in Google Chrome or another Chromium-based browser.

These websites can either be legitimate websites that have been somehow compromised, or created by the attackers and promoted via spear phishing or other methods.

In one case, the attackers compromised a news agency website in Lebanon and placed snippets of JavaScript that enabled XXS (cross-site scripting) attacks and redirected valid targets to the exploit server.

Injected code to load JavaScript
Injected code to load JavaScript from a remote resource (avast)

As soon as the victims reached the server, they were profiled in great detail using around 50 data points. If the target was deemed valid, an encrypted exchange of data was set up to allow the zero-day exploit to take place.

“The information collected includes the victim’s language, time zone, screen information, device type, browser plugins, referrers, device memory, cookie functionality and more,” Avast’s report explains.

In the Lebanon case, the zero-day allowed actors to achieve shellcode execution within a renderer process and was further chained to a sandbox escape bug that Avast was unable to recover for analysis.

Because the bug was localized in WebRTC, it also affected Apple’s Safari browser. However, the exploit discovered by Avast only worked on Windows.

After the initial infection, DevilsTongue used a BYOVD (bring your own driver) step to increase its privileges and gain read and write access to the compromised device’s storage.

One of the vulnerable IOCTL handlers used in the BYOVD exploit
One of the vulnerable IOCTL handlers used in the BYOVD exploit (avast)

Interestingly, Avast discovered that the BYOVD used by Candiru was also a zero-day, and even if the vendor releases a security update, it doesn’t help against the spyware since the vulnerable version is included.

While it’s not clear what data the attackers were targeting, Avast believes the threat actors used it to learn more about what news the targeted journalist was researching.

“We can’t say for sure what the attackers might have behind them, but often the reason attackers pursue journalists is to directly spy on them and the stories they are working on, or to get to their sources and compromising information.” collect and sensitive data they have shared with the press.” – Avast.

The persistent spyware threat

Commercial spyware vendors have been known to develop or purchase zero-day exploits to target individuals of interest to their customers.

When Candiru was last uncovered by Microsoft and Citizen Lab, the company pulled all DevilsTongue operations and worked in the shadows to implement new zero-days, Avast now reveals.

Unfortunately, this also means that the same thing will happen again. Even if you apply security updates immediately, you are not immune to commercial spyware.

To address this issue, Apple plans to introduce a new iOS 16 feature called “Lockdown Mode” which will restrict the device’s functions and functions to prevent confidential data leaks or minimize the impact of a spyware infection.

Leave a Comment