Spyware maker Candiru linked to Chrome zero-day targeting journalists

Security researchers have linked the discovery of an actively exploited but since-fixed zero-day vulnerability in Google Chrome to an Israeli spyware maker targeting journalists in the Middle East.

Cybersecurity company Avast has linked the exploitation to Candiru, a Tel Aviv-based hacking-for-hire company also known as Saito Tech, which provides its powerful spyware to government clients. Candiru, much like Israel’s NSO Group, claims its software is designed to be used by government and law enforcement agencies to thwart potential terrorism and crime, but researchers have found that authoritarian regimes have used the spyware to target journalists, political dissidents and critics of repressive regimes. Candiru was sanctioned by the U.S. Commerce Department for engaging in activities contrary to U.S. national security.

Avast said it observed Candiru in March using the Chrome zero-day exploit for targeting individuals in Turkey, Yemen and Palestine — as well as journalists in Lebanon, where Candiru compromised a website used by employees of a news agency.

“We can’t say for sure what the attackers might have been after, however often the reason why attackers go after journalists is to spy on them and the stories they’re working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press,” said Jan Vojtěšek, malware researcher at Avast. “An attack like this could pose a threat to press freedom.”

The Chrome zero-day exploit planted on the Lebanese news agency’s website was designed to collect about 50 data points from a victim’s browser, including its language, timezone, screen information, device type, browser plugins and device memory, likely to ensure that only the devices of those who are specifically targeted were ultimately compromised. When a target is found, the Chrome zero-day creates a foothold on the victim’s machine in order to deliver the spyware payload, which researchers have dubbed DevilsTongue.

DevilsTongue, like other government-grade spyware, can steal the contents of a victim’s phone, including messages, photos and call logs, and track a victim’s location in real time.

Avast disclosed the vulnerability, tracked as CVE-2022-2294, to Google on July 1, with a fix landing days later on July 4 with the release of Chrome 103. Google said at the time it was “aware that an exploit for CVE-2022-2294 exists in the wild.”

Candiru was first exposed by Microsoft and Citizen Lab in July last year. Their findings showed that the spyware maker had targeted at least 100 activists, journalists and dissidents across 10 countries. According to Avast, Candiru likely laid low until this latest round of attacks following last year’s release of Citizen Lab’s report to update its malware and evade detection efforts.