Google ZeroDay Actively Exploited by Candiru
Vulnerabilities persisted in the Chrome browser has been linked to an Israeli spyware company and its efforts to spy on journalists.
Google patched an unknown vulnerability in Chrome, dubbed CVE-2022-2294 earlier this month and warned that someone was already exploiting the flaw to attack users.
An Israeli company called Candiru was likely exploiting the flaw to spy on journalists in Lebanon.
Candiru has been targeting users in Lebanon, Turkey, Yemen, and Palestine since March with an updated toolset, which includes zero-day exploits designed for Google’s Chrome browser.
To target the journalists in Lebanon, Candiru allegedly compromised a legitimate website belonging to a news agency. The Israeli spyware rerouted certain visitors of the website to a web server capable of collecting about 50 data points from the victim’s computer, such as the language, timezone, browser plugins.
If the collected data met certain requirements, the server would proceed to establish an encrypted channel with the victim’s computer to launch the Chrome zero-day vulnerability, CVE-2022-2294. The result can remotely execute malicious computer code on the victim’s browser.
Candiru used the exploit in conjunction with another vulnerability capable of escaping Chrome’s sandbox safeguard. However, it’s still under suspicion and yet to be confirmed.
This research was done and documented by Avast AV security firm.