Google exploit used against journalists


A previously unidentified weakness in Google Chrome’s defenses was recently used by threat actors to target journalists in the Middle East, according to Avast.

“We recently discovered a zero-day vulnerability in Google Chrome (CVE-2022-2294) when it was exploited in the wild in an attempt to attack Avast users in the Middle East,” said the cybersecurity provider. “Specifically, a large portion of the attacks took place in Lebanon, where journalists were among the targeted parties.”

ADVERTISEMENT

Avast said it reported the zero-day exploit – a weakness in an organization’s cyber defenses hitherto unidentified – to Google on July 4, with the big tech firm saying it has since been patched.

But prior to that, it is thought the weakness was “abused to achieve shellcode execution in Chrome’s renderer process,” allowing threat actors to remotely assume command of selected devices. Avast believes its users based in Lebanon, Turkey, Yemen, and Palestinian parts of Israel were attacked in such a way from March, and that “the attacks were highly targeted.”

Secretive spyware

The techniques, tactics and procedures and the nature of the malware itself point to a “secretive spyware vendor” – known as Candiru, after a species of paralyzing fish – as the culprit.

Initially exposed by Microsoft and CitizenLab in July 2021, Candiru is thought to have “laid low for months, most likely taking its time to update its malware to evade existing detection.” But the past few months have seen it resurface with a vengeance.

“There were multiple attack campaigns, each delivering the exploit to the victims in its own way,” said Avast. “In Lebanon, the attackers seem to have compromised a website used by employees of a news agency. We can’t say for sure what the attackers might have been after, however often the reason why attackers go after journalists is to spy on them and the stories they’re working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press.”

Profile and surveille

Candiru gathers information by setting up a “profile of the victim’s browser, consisting of about 50 data points.” This is collated and then relayed back to the threat actors.

ADVERTISEMENT

“The collected information includes the victim’s language, timezone, screen information, device type, browser plugins, referrer, device memory, cookie functionality, and more,” said Avast. “We suppose this was done to further protect the exploit and make sure that it only gets delivered to the targeted victims.”

If the threat actor deems the data identifies a suitable target, they are then poised to use an encryption channel to deliver zero-day exploits to a victim. The channel also simultaneously conceals the exploit, making it harder to spot and defend against.

Avast further warned that while the exploit was specifically designed for Chrome on Windows, its potential impact was much broader and could affect other browsers such as Microsoft Edge and Apple’s Safari.

“We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did,” it added.