Security researchers at Avast found a new Chrome vulnerability and two other zero-days being exploited in a campaign targeting journalists with sophisticated spyware labelled DevilsTongue.
Avast researchers revealed that they found multiple campaigns, all delivering the exploit in their own unique way to Chrome users in the Middle East, specifically Lebanon, Palestine, Turkey and Yemen. The watering hole sites picked their targets carefully, and once exploited, they used the access to install DevilsTongue, Candiru’s advanced spyware.
Google patched the flaw, tracked as CVE-2022-2294, on July 4 after being privately notified by the researchers. Microsoft and Safari have patched their respective browsers as well.
A heavily protected exploit
Candiru has gone to great lengths to protect this exploit. Once a target visits the exploit server, Candiru collects over 50 data points to build a profile of the victim’s browser, including the victim’s language, timezone, screen information, device type, browser plugins, referrer, device memory, cookie functionality, and more.
Once a target is selected, the exploit server then uses RSA-2048 to exchange an encryption key with the target, which is used to establish an encrypted channel to deliver the zero-day exploits. To further protect themselves, the encrypted channel is set on top of TLS to avoid getting captured in plaintext HTTP traffic.
Once the exploit is run and DevilsTongue is installed on the victim’s computer, it elevates its privileges using a flawed Windows driver having yet another zero-day vulnerability. Installing this driver gives DevilsTongue access to the operating system’s kernel, as most drivers by access to an OS’ kernel by default. This technique is called “bring your own vulnerable driver” or BYOVD.
However, despite the obfuscation, Avast recovered the attack code allowing it to identify the vulnerability and report it to both Google and the driver maker. While Google, Microsoft and recently Apple have all patched the browser vulnerability, there’s no word from the driver-maker about when a patch will be released. Only Avast and McAfee can detect the driver exploit at the time of writing.
Another point of concern here is that Avast could not find a separate zero-day vulnerability that allowed the first one to escape Chrome’s security sandbox. This means this second vulnerability can cause problems in the future.
Other groups may also be exploiting WebRTC
Candiru has been laying low since Microsoft, and Citizen Labs made multiple exposes against its toolset last July. However, it resurfaced in March with an updated toolkit and has since been very careful in protecting its exploits from security researchers and rival hacking groups.
Avast researcher Jan Vojtěšek explains that while there’s ascertaining whether or not other groups were exploiting the WebRTC vulnerability or not, there’s a possibility of it happening as sometimes multiple groups discover zero-day vulnerabilities independently or vulnerabilities and exploits get sold between groups. However, at the moment, there’s no indication of any other group exploiting this vulnerability.
In the News: Pixel 6A comes to India: Price, specs and more