Exploitation of Recent Chrome Zero-Day Linked to Israeli Spyware Company

An actively exploited Chrome zero-day that Google patched on July 4 has been linked to an Israeli spyware company and used in targeted attacks aimed at entities in the Middle East.

Google was informed about the vulnerability and attacks exploiting it on July 1 by cybersecurity company Avast, which observed it being used against its customers in the Middle East as part of what appeared to be highly targeted operations.

The vulnerability is tracked as CVE-2022-2294 and it has been described as a heap buffer overflow in WebRTC. The zero-day has been patched with the release of a Chrome 103 update for Windows. This is the fourth actively exploited Chrome vulnerability patched by Google this year.

According to Avast’s threat intelligence team, targeted individuals included journalists in Lebanon, with other targets spotted in Turkey, Yemen and Palestine.

“In Lebanon, the attackers seem to have compromised a website used by employees of a news agency,” said Jan Vojtesek, malware researcher at Avast. “We can’t say for sure what the attackers might have been after, however often the reason why attackers go after journalists is to spy on them and the stories they’re working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press. An attack like this could pose a threat for press freedom.”

Based on an analysis of the malware and tactics used in these attacks, Avast has attributed the use of the Chrome zero-day to an Israel-based spyware vendor named Candiru.

Candiru, also known as Saito Tech, has been described as a “mercenary spyware firm” that provides surveillance tools to government customers. These types of companies typically claim to provide their tools and services for lawful surveillance to governments, but their products have often been found to be used by authoritarian regimes against their opponents.

In the recent attacks observed by Avast, threat actors first collected roughly 50 data points to create a profile of the victim’s browser. This data included language, time zone, screen information, device type, browser plugins, and device memory.

The Chrome zero-day exploit appears to have only been delivered — through an encrypted channel — to users who were considered of value by the hackers. After gaining access to the targeted machine, the attackers delivered a piece of malware named DevilsTongue.

DevilsTongue is a sophisticated piece of malware that can be used to steal files, run commands, query databases, steal credentials from LSASS and browsers, steal cookies that can be used to access social media and email accounts, and obtain conversations from the Signal messaging app.

Last year, Microsoft, Citizen Lab and Google issued reports about zero-day exploits created by Candiru and provided to government-backed threat actors. The exploits target Windows, macOS, iOS and Android devices, as well as the Chrome, Internet Explorer and Safari browsers.

In April this year, Citizen Lab reported that tools made by Candiru — as well as the Israeli surveillance company NSO Group — had been used in Spain.

Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

Related: Google Attempts to Explain Surge in Chrome Zero-Day Exploitation

Related: North Korea Gov Hackers Caught Sharing Chrome Zero-Day