Google Chrome Zero-Day and Candiru

A serious vulnerability in the Chrome browser has been linked to an Israeli spyware company and its efforts to spy on journalists, according to findings from antivirus company Avast.

Earlier this month, Google patched the previously unknown vulnerability in Chrome, dubbed CVE-2022-2294(Opens in a new window), warning that someone was already exploiting the flaw to attack users.

It turns out an Israeli company called Candiru was likely exploiting the flaw to spy on journalists in Lebanon, according to Avast, which initially reported the threat to Google. On Thursday, the antivirus provider published a report(Opens in a new window) containing more details about the vulnerability, and how it was used to deliver a spyware package.

According to the report, Candiru has been targeting Avast users in Lebanon, Turkey, Yemen, and Palestine since March with an “updated toolset,” which includes zero-day exploits designed for Google’s Chrome browser. These zero-day exploits are particularly worrisome because they tap publicly unknown flaws in the software, leaving users vulnerable with no way to patch.

To target the journalists in Lebanon, Candiru allegedly compromised a legitimate website belonging to a news agency. The Israeli spyware company then rigged the site to reroute certain visitors to a web server capable of collecting about 50 data points from the victim’s computer, such as the language, timezone, browser plugins, and more.

If the collected data met certain requirements, the server would proceed to establish an encrypted channel with the victim’s computer to launch the Chrome zero-day vulnerability, CVE-2022-2294. The result can remotely execute malicious computer code on the victim’s browser.

Avast suspects Candiru used the exploit in conjunction with another vulnerability capable of escaping Chrome’s “sandbox” safeguard. However, the antivirus provider wasn’t able to uncover the second vulnerability. Still, by using the two vulnerabilities, the attack was able to deliver a Windows-based spyware package to the victim’s computer.

According to Avast, the spyware matches the “DevilsTongue,” a Windows-based malware Microsoft also uncovered(Opens in a new window) in separate attacks linked to Candiru. It’s why the antivirus company suspects the Israeli vendor used CVE-2022-2294 in targeted attacks in the Middle East.

The good news is that Google already patched the flaw back on July 4. So users can simply update the Chrome browser to protect themselves from the threat. Both Microsoft’s Edge and Apple’s Safari browsers, which also use WebRTC, have also released patches.

Candiru doesn’t have a public website, so PCMag wasn’t able to reach the company for immediate comment. But last year, the US banned technology exports to the Israeli vendor for allegedly helping foreign governments spread spyware to smartphones.


Learn More:

For solution, online support and query email us at .

Leave a Comment

Your email address will not be published. Required fields are marked *

error: Content is protected !!