Security Experts:

Connect with us

Hi, what are you looking for?



Exploitation of Recent Chrome Zero-Day Linked to Israeli Spyware Company

An actively exploited Chrome zero-day that Google patched on July 4 has been linked to an Israeli spyware company and used in targeted attacks aimed at entities in the Middle East.

An actively exploited Chrome zero-day that Google patched on July 4 has been linked to an Israeli spyware company and used in targeted attacks aimed at entities in the Middle East.

Google was informed about the vulnerability and attacks exploiting it on July 1 by cybersecurity company Avast, which observed it being used against its customers in the Middle East as part of what appeared to be highly targeted operations.

The vulnerability is tracked as CVE-2022-2294 and it has been described as a heap buffer overflow in WebRTC. The zero-day has been patched with the release of a Chrome 103 update for Windows. This is the fourth actively exploited Chrome vulnerability patched by Google this year.

According to Avast’s threat intelligence team, targeted individuals included journalists in Lebanon, with other targets spotted in Turkey, Yemen and Palestine.

“In Lebanon, the attackers seem to have compromised a website used by employees of a news agency,” said Jan Vojtesek, malware researcher at Avast. “We can’t say for sure what the attackers might have been after, however often the reason why attackers go after journalists is to spy on them and the stories they’re working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press. An attack like this could pose a threat for press freedom.”

Based on an analysis of the malware and tactics used in these attacks, Avast has attributed the use of the Chrome zero-day to an Israel-based spyware vendor named Candiru.

Candiru, also known as Saito Tech, has been described as a “mercenary spyware firm” that provides surveillance tools to government customers. These types of companies typically claim to provide their tools and services for lawful surveillance to governments, but their products have often been found to be used by authoritarian regimes against their opponents.

In the recent attacks observed by Avast, threat actors first collected roughly 50 data points to create a profile of the victim’s browser. This data included language, time zone, screen information, device type, browser plugins, and device memory.

The Chrome zero-day exploit appears to have only been delivered — through an encrypted channel — to users who were considered of value by the hackers. After gaining access to the targeted machine, the attackers delivered a piece of malware named DevilsTongue.

DevilsTongue is a sophisticated piece of malware that can be used to steal files, run commands, query databases, steal credentials from LSASS and browsers, steal cookies that can be used to access social media and email accounts, and obtain conversations from the Signal messaging app.

Last year, Microsoft, Citizen Lab and Google issued reports about zero-day exploits created by Candiru and provided to government-backed threat actors. The exploits target Windows, macOS, iOS and Android devices, as well as the Chrome, Internet Explorer and Safari browsers.

In April this year, Citizen Lab reported that tools made by Candiru — as well as the Israeli surveillance company NSO Group — had been used in Spain.

Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

Related: Google Attempts to Explain Surge in Chrome Zero-Day Exploitation

Related: North Korea Gov Hackers Caught Sharing Chrome Zero-Day

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.