Security researchers said a cyberattack software mystery seller recently exploited a previously unknown Chrome vulnerability and two other zero-day vulnerabilities in campaigns that covertly infected journalists and other targets with sophisticated spyware.
On Thursday, Avast said it had detected multiple attack campaigns, each delivering the exploit in a different way to Chrome users in Lebanon, Turkey, Yemen and Palestine. Watering sites were very selective about which visitors to infect. Once the waterhole sites successfully exploited the vulnerability, they used their access to install DevilsTongue, the name Microsoft gave last year to advanced malware sold by the Israeli company Candiru.
“In Lebanon, attackers appear to have hacked into a website used by employees of a news agency,” writes Avast researcher Jan Wojtešek. “We can’t say for sure what might have been following the attackers, but often the reason attackers go after journalists is to spy on them and the material they are working on, or to get to their sources and collect incriminating information. and sensitive data they shared with the press.”
Vojtešek said that Candiru lay low after the revelations released last July by Microsoft and CitizenLab. The researcher said the company came out of the shadows again in March with an updated set of tools. The waterhole site, which Avast did not identify, went to great lengths not only to select only certain visitors to infect, but also to prevent its precious zero-day vulnerabilities from being discovered by researchers or would-be rival hackers.
As soon as the victim gets to the exploit server, Candiru collects additional information. The victim’s browser profile, consisting of approximately 50 data points, is collected and sent to the attackers. The information collected includes the victim’s language, time zone, screen information, device type, browser plugins, referrer, device memory, cookie functionality, and more. We assume that this was done to further protect the exploit and ensure that it is only delivered to targeted victims. If the collected data satisfies the exploit server, it uses RSA-2048 to exchange the encryption key with the victim. This encryption key is used with AES-256-CBC to establish an encrypted channel through which zero-day exploits are delivered to the victim. This encrypted channel is installed over TLS, effectively hiding exploits even from those who would decrypt the TLS session to intercept open HTTP traffic.
Despite attempts to keep CVE-2022-2294 a secret, Avast was able to recover an attack code that used a WebRTC dynamic memory overflow to execute malicious shellcode inside the render process. The recovery allowed Avast to identify the vulnerability and report it to the developers so that it could be fixed. The security firm was unable to obtain a separate zero-day exploit, which was required for the first exploit to break out of Chrome’s security sandbox. This means that this second zero day will live to fight another day.
After DevilsTongue was installed, he attempted to elevate his system privileges by installing a Windows driver containing another unpatched vulnerability, bringing the number of zero days used in this campaign to at least three. Once the unidentified driver was installed, DevilsTongue used a security hole to gain access to the kernel, the most sensitive part of any operating system. Security researchers call this method BYOVD, which means bring your own vulnerable driver. This allows malware to bypass OS protections since most drivers automatically have access to the OS kernel.
Avast reported the vulnerability to the driver manufacturer, but there is no indication that a patch has been released. At the time of publication, only Avast and another antivirus engine had detected a driver exploit.
Since both Google and Microsoft fixed CVE-2022-2294 in early July, chances are good that most Chrome and Edge users are already protected. Apple, however, patched the vulnerability on Wednesday, meaning Safari users should make sure their browsers are up to date.
“While we have no way of knowing for sure if the WebRTC vulnerability has been exploited by other groups, it is possible,” Vojtešek wrote. “Sometimes zero days are discovered by several groups independently of each other, sometimes someone sells the same vulnerability/exploit to several groups, etc. But we have no indication that there is another group using the same zero day “.
#0day #infect #Chrome #users #pose #threat #Edge #Safari #users