Chrome zero-day exploit used to target journalists in the Middle East

Chrome zero-day exploit used to target journalists in the Middle East

Zero-day exploits are some of the most feared security vulnerabilities out there, mostly because institutions working to patch them are already well behind the curve. It’s not uncommon for Google’s name to come up in such an exploit, it’s got thumbs in every pie after all: the company accounted for 58 exploits in 2021, meaning a more than two-fold increase uncovered the year before, although the company attributes the higher number to better detection. Well, we can officially tally another one for Google’s 2022 as researchers are now disclosing a new exploit that’s been in the hands of Israeli spyware distributor, Candiru (also known as Saito Tech), navigating a hole through DevilsTongue spyware on the Chrome browser to illegally track journalists across the Middle East.


Although Google patched the vulnerability identified as CVE-2022-2294 on July 4 with the stable release of Chrome v103.0.5060.114, it still poses an active threat to users who haven’t updated their browsers. Avast reports (via BleepingComputer) that the vulnerability was reported to Google upon its discovery on July 1 following complaints from some of their partners. Google didn’t specify how the vulnerability operates due to security reasons but clarified that it is under active exploitation.

Avast claims that Candiru started exploiting the 2294 vulnerability in March of this year. It primarily targeted journalists and high-profile individuals in Lebanon, Palestine, Turkey, and Yemen.

The fact that this exploit was found in WebRTC is what makes it even more dangerous. All it takes for the attack to be successful is for the victim to open the affected website, which could either be a page created by the attackers for the purpose or a reputable website that was compromised. The latter was such the case when attackers infiltrated the site of a Lebanese news agency and inserted JavaScript snippets to implement cross-site scripting attacks while rerouting visitors to an infected server.

Those who made it there had browser-based sensitive data hijacked, with as many as 50 data points including timezone, language, device type, device memory, cookies, browser plugins, and so on stolen. Upon gauging the feasibility of the target, the attackers would initiate the encrypted data exchange, thus accommodating the zero-day exploit.

Avast said the spyware, DevilsTongue, utilized a “Bring Your Own Vulnerable Driver” or BYOVD exploit following the first sequence. This would enable the attackers to gain read/write access to the target device’s memory. That said, this step would also present a checkpoint for potential victims to prevent the attack from going further.

The nature of the exploit meant that even Apple’s Safari browser wasn’t immune. The Avast team did clarify, though, that they only witnessed this issue on Windows.

Researchers couldn’t determine the motive behind the specific attack against the Lebanon news site, but it’s pretty clear Candiru’s clients wanted to know what journalists in the region were reporting on or ascertain what they were researching for an upcoming story. A successful attack of this nature on journalists could also unmask their confidential sources or informants, potentially putting their lives at risk.

Leave a Comment

Your email address will not be published.