Skip to content

Search the site

Google 0day bug exploited in wild to target journos. Others vulnerable to upstream bug

Journalists targeted, Israeli firm "Candiru" blamed

A Google Chrome 0day was used to target reporters, cybersecurity company Avast says, warning that other software using the upstream WebRTC component that impacted Chrome may be vulnerable.

The vulnerability in the ubiquitous browser -- allocated CVE-2022-2294 -- was exploited in the wild before being identified and reported to Google, which issued a patch on July 4, Avast said on July 25.

Apple patched the same underlying WebRTC vulnerability on July 20.

WebRTC is an open source project supported by Apple, Google, Microsoft and Mozilla among others. It is used to build real-time communication capabilities into applications in a range of different ways.

Avast attributed the attacks to an Israel-based private-sector offensive actor "Candiru".

The exploit "abused a heap buffer overflow in WebRTC to achieve shellcode execution inside a renderer process. This zero-day was chained with a sandbox escape exploit, which was unfortunately further protected and we were not able to recover it" Avast said. "We extracted a PoC from the renderer exploit and sent it to Google’s security team. They fixed the vulnerability... and releasing a patch in Chrome version 103.0.5060.114".

Avast has attributed the attack to same Israeli company first exposed by Microsoft -- which dubbed it SOURGUM -- and CitizenLab in July 2021, when it was spotted exploiting a series of Windows 0days (CVE-2021-31979 and CVE-2021-33771) to target politicians, human rights activists, journalists, and political dissidents.

Avast said today that the most recent Candiru attacks hit targets in Lebanon, Turkey, Yemen, and Palestine.

Google Chrome 0day abused WebRTC vulnerability

While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider.

"Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Apple’s Safari. We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.

"Our Avast Secure Browser was patched on July 5. Microsoft adopted the Chromium patch on July 6, while Apple released a patch for Safari on July 20. We encourage all other WebRTC integrators to patch as soon as possible" Avast warned. The company, which has itself been the target of hackers in the past, added: "At the end of the exploit chain, the malicious payload (called DevilsTongue, a full-blown spyware) attempts to get into the kernel using another zero-day exploit. This time, it is targeting a legitimate signed kernel driver in a BYOVD fashion. Note that for the driver to be exploited, it has to be first dropped to the filesystem (Candiru used the path C:\Windows\System32\drivers\HW.sys) and loaded, which represents a good detection opportunity.

The driver is exploited through IOCTL requests. In particular, there are two vulnerable IOCTLs: 0x9C40648C can be abused for reading physical memory and 0x9C40A4CC for writing physical memory. We reported this to the driver’s developer, who acknowledged the vulnerability and claimed to be working on a patch. Unfortunately, the patch will not stop the attackers, since they can just continue to exploit the older, unpatched driver. We are also discussing a possible revocation, but that would not be a silver bullet either, because Windows doesn’t always check the driver’s revocation status. Driver blocklisting seems to be the best solution for now."

Avast did not name the drivers or driver developer. The Stack has asked for more details.

Follow The Stack on LinkedIn