Saturday, December 7, 2024
HomeGoogleGoogle Chrome 0-Day Vulnerability Exploited in The Wild To Deploy Spyware

Google Chrome 0-Day Vulnerability Exploited in The Wild To Deploy Spyware

Published on

SIEM as a Service

This month came to light a zero-day vulnerability that has long been exploited by evildoers inside Google Chrome, but that has now been patched by the company. This flaw has been weaponized by an Israeli spy company and used in attacks against Middle Eastern journalists and their families.

In response to the exploitation, cybersecurity firm Avast connected the incident to Candiru (also known as Saito Tech). A Windows malware dubbed DevilsTongue has been deployed by this group on a number of occasions prior to now by exploiting previously unknown flaws.

Essentially, it is a zero-day vulnerability, with the CVE-2022-2294 designation, which has been identified in Google Chrome. As it turns out, it is memory corruption in WebRTC that was exploited in Chrome’s renderer process to be executed shellcode in a way that was not intended.

- Advertisement - SIEM as a Service

Explotaion & Targets

During the months following the July 2021 discovery of the malware by Microsoft and CitizenLab, Candiru kept a low profile for several months. 

It is likely that it took its time updating its malware in order to avoid detection by the existing detection system, that’s why it took so long.

This time it return with an updated toolset in March 2022, targeting users located in the following countries:-

  • Lebanon
  • Turkey
  • Yemen
  • Palestine

Attackers are exploiting zero-day vulnerabilities in Google Chrome to launch watering hole attacks on users. The attacks were thought to be highly targeted, but it’s not yet clear whether this is true.

It appears that the attackers in Lebanon have compromised a website that is used by news agency employees in order to carry out their duties. 

An artifact of persistent, XSS attacks was found on the compromised website, such as pages that contained the following information:-

An alert function was called with the keyword ‘test’ accompanied by a call to the Javascript function alert.

Data Collected

It is at this point that Candiru gathers more information about the victim as soon as it arrives at the exploit server. Attackers collect about 50 data points about the victim’s browser and send that information to them in the form of a profile of the victim’s computer. 

A number of information about the victim has been collected, including the:- 

  • Language
  • Timezone
  • Screen information
  • Device type
  • Browser plugins
  • Referrer
  • Device memory
  • Cookie functionality

As a result of this, it’s ensured that the exploit would be further protected and that only the targeted victims would receive it. The exploit server sends an encryption key to the victim via RSA-2048 if the data collected in the exploit has satisfied its requirements.

Using this encryption key along with the AES-256-CBC algorithm, it is possible to deliver zero-day exploits to the victim. In order to be able to deliver the exploit, an encrypted route must first be established so that it can be delivered anonymously.

Additionally, in recent years, it has been reported that since early 2021, state-sponsored hacking groups have been actively targeting journalists to spread malware and conduct espionage.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google Chrome Security Update, Patch for High-severity Vulnerability

Google has released a significant security update for its Chrome browser, aiming to address...

Multiple Flaws With Android & Google Pixel Devices Let Attackers Elevate Privileges

Several high-severity vulnerabilities have been identified in Android and Google Pixel devices, exposing millions...

GeoVision 0-Day Vulnerability Exploited in the Wild

Cybersecurity researchers have detected the active exploitation of a zero-day vulnerability in GeoVision devices,...