Report: Mercenary spyware exploited Google Chrome zero-day to target journalists

A zero-day vulnerability in Google Chrome was discovered when attackers exploited it to target users in the Middle East, including journalists, cybersecurity firm Avast said Thursday. 

The company attributed the attacks to a secretive Israeli firm known as Candiru — named after a notorious parasitic fish — that sells spyware to governments. 

Candiru has been active for years, but drew added scrutiny after University of Toronto’s Citizen Lab and Microsoft exposed the firm’s links to the DevilsTongue malware last July and laid out how the tool had been used to target members of civil society.

The U.S. government sanctioned Candiru along with several other makers of hacking tools sold to governments later that year. This April, Citizen Lab also linked Candiru tools to attacks targeting members of the Catalan community in Spain. 

Candiru appeared to lay low after the first Citizen Lab report, likely to develop new exploits, according to Avast. 

Then it re-emerged. 

“We’ve seen it return with an updated toolset in March 2022, targeting Avast users located in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks using zero-day exploits for Google Chrome,” Avast wrote. “We believe the attacks were highly targeted.”

Watering hole attacks are when attackers lure victims to compromised websites that can infect their machines. In this case, the attackers used a chain of exploits to target victims that included a zero-day vulnerability in Google Chrome. Google released a fix for the issue (CVE-2022-2294) in a July 4 update. 

Avast wrote that “a large portion” of the attacks it observed took place in Lebanon, where “the attackers seem to have compromised a website used by employees of a news agency.” 

Journalists are a frequent target of attacks by nation-state actors, often for intelligence purposes. 

“We can’t say for sure what the attackers might have been after, however often the reason why attackers go after journalists is to spy on them and the stories they’re working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press,” Avast wrote. 

Bill Marczak, one of the authors of Citizen Lab’s investigations into Candiru, told The Record the Avast report demonstrates the value of having more security firms on the alert for mercenary spyware. 

“At least five security companies, including Avast, have detected, burned, and published on Candiru attacks directed against their customers running Microsoft Windows,” he said. 

However, Marczak added, researchers may have only scratched the surface. 

“Candiru also appears to maintain capabilities against mobile phones, but none of these has been detected, as far as we know,” he added.