Google Chrome’s Zero-Day Exploit Delivered Spyware to Journalists


A serious Chrome browser vulnerability has been linked to an Israeli spyware company and its efforts to spy on journalists, according to findings from antivirus firm Avast.

Earlier this month, Google fixed the previously unknown vulnerability in Chrome, dubbed CVE-2022-2294(Opens in a new window)warning that someone was already exploiting the flaw to attack users.

It turns out that an Israeli company called Candiru was likely exploiting the loophole to spy on journalists in Lebanon, according to Avast, which initially reported the threat to Google. On Thursday, the antivirus vendor released a report(Opens in a new window) containing more details about the vulnerability and how it was used to deliver a spyware package.

According to the report, Candiru has been targeting Avast users in Lebanon, Turkey, Yemen and Palestine since March with an “updated toolset”, which includes zero-day exploits designed for Google’s Chrome browser . These zero-day exploits are particularly concerning because they exploit publicly unknown flaws in the software, leaving users vulnerable with no way to fix.

To target journalists in Lebanon, Candiru allegedly compromised a legitimate website belonging to a news agency. The Israeli spyware company then rigged the site to redirect some visitors to a web server capable of collecting around 50 data points from the victim’s computer, such as language, time zone, browser plugins , etc.

If the collected data met certain requirements, the server would establish an encrypted channel with the victim’s computer to launch the Chrome zero-day vulnerability, CVE-2022-2294. The result can remotely execute malicious computer code on the victim’s browser.

Avast suspects that Candiru used the exploit in conjunction with another vulnerability capable of evading Chrome’s “sandbox” backup. However, the antivirus vendor was unable to discover the second vulnerability. Yet, using both vulnerabilities, the attack was able to deliver a Windows-based spyware package to the victim’s computer.

Recommended by our editors

According to Avast, the spyware corresponds to “DevilsTongue”, a Windows-based malware that Microsoft also discovered(Opens in a new window) in separate Candiru-related attacks. That’s why the antivirus company suspects the Israeli vendor of using CVE-2022-2294 in targeted attacks in the Middle East.

The good news is that Google already patched the flaw on July 4th. So, users can simply update Chrome browser to protect themselves from the threat. Apple’s Microsoft Edge and Safari browsers, which also use WebRTC, have also released patches.

Candiru does not have a public website, so PCMag could not contact the company for immediate comment. But last year, the United States banned technology exports to the Israeli supplier for allegedly helping foreign governments distribute spyware to smartphones.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.","first_published_at":"2021-09-30T21:22:09.000000Z","published_at":"2022-03-24T14:57:33.000000Z","last_published_at":"2022-03-24T14:57:28.000000Z","created_at":null,"updated_at":"2022-03-24T14:57:33.000000Z"})" x-show="showEmailSignUp()" class="rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs">
Do you like what you read ?

Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.

This newsletter may contain advertisements, offers or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.


About Author

Comments are closed.