A critical vulnerability in Google Chrome has been tied to an Israeli spyware firm’s attempts to monitor journalists, according to Avast antivirus company.
Google recently fixed the previously unknown vulnerability, known as CVE-2022-2294, and warned that it was already being exploited to target users.
Avast has discovered that Israeli firm Candiru was likely utilizing the vulnerability to spy on journalists in Lebanon. The antivirus company initially reported the threat to Google and recently published a report with further information on the vulnerability and how it was utilized to deliver spyware.
The report states that Candiru has been targeting Avast users in Lebanon, Turkey, Yemen, and Palestine since March with a new toolset that includes zero-day exploits specifically designed for Google Chrome.
These vulnerabilities are concerning as they exploit previously unknown weaknesses in the software, leaving users exposed with no means of protection.
To target journalists in Lebanon, Candiru is said to have taken control of a legitimate website owned by a news agency. The Israeli spyware firm manipulated the site to redirect specific visitors to a web server capable of collecting approximately 50 data points from the victim’s computer, including information such as language, time zone, browser plugins, and more.
If the collected data met specific criteria, the server would establish an encrypted connection with the victim’s computer and use the Chrome zero-day vulnerability (CVE-2022-2294) to remotely execute malicious code on the victim’s browser.
Avast believes that Candiru utilized the exploit in conjunction with another weakness that could bypass Chrome’s sandbox security feature. Despite not being able to identify the second vulnerability, the combination of the two allowed for the delivery of a Windows-based spyware package to the victim’s computer.
Avast identified the spyware known as “DevilsTongue,” which is a Windows malware similar to one discovered by Microsoft in attacks linked to Candiru. Avast believes the Israeli vendor utilized CVE-2022-2294 in targeted attacks in the Middle East.
However, the security threat has been addressed as Google patched the flaw on July 4th. To protect against the threat, users can update their Chrome browser, as well as Microsoft Edge and Apple Safari browsers that use WebRTC, which have also released patches.
