Using 0 days to infect Chrome users can be a threat to Edge and Safari users as well

Security researchers say an undercover cyber-attack software vendor recently exploited a previously unknown vulnerability in Chrome and two more zero days in campaigns that secretly infected journalists and other targets with sophisticated spyware.

CVE-2022-2294, due to the tracking vulnerability, stems from a memory corruption flaw in Web Real-Time Communications, an open source project that provides JavaScript programming interfaces to enable real-time voice, text, and video communications capabilities between web browsers and devices. Google fixed the flaw on July 4 after researchers from security firm Avast privately reported to the company that it is being exploited in water-hole attacks, which infect targeted websites with malware in hopes of infecting repeat users. Microsoft and Apple have since patched the same WebRTC flaw in Edge and Safari browsers, respectively.

Avast said Thursday that it has uncovered several attack campaigns, each of which presents the vulnerability in its own way to Chrome users in Lebanon, Turkey, Yemen and Palestine. Irrigation pit sites were very selective in selecting visitors for infestation. Once the waterhole sites successfully exploited the vulnerability, they used their access to install DevilsTongue, the name Microsoft gave last year to advanced malware sold by an Israel-based company called Candiru.

“In Lebanon, it appears that attackers have hacked a website used by employees of a news agency,” Avast researcher Jan Vojtěšek wrote. “We can’t say for sure what attackers might be behind, but often the reason attackers go after journalists is to spy on them and the stories they’re working on directly, or to access their sources and gather compromising information and sensitive data they shared with the press.”

Vojtěšek said Kanderu was lying in bed after the revelations were made public last July by Microsoft and CitizenLab. The researcher said the company re-emerged from the shadows in March with an updated toolkit. The location of the watering hole, which Avast did not specify, has bothered not only in selecting specific visitors for infection but also in preventing valuable zero-day vulnerabilities from being discovered by researchers or potential rival hackers.

Wojciech wrote:

Interestingly, the hacked website contained artifacts of persistent XSS attacks, with pages containing calls to the Javascript function alert along with keywords like ‘test’. We assume that this is how the attackers tested the XSS vulnerability, before eventually exploiting it for real by injecting a piece of code that loads malicious JavaScript from a domain controlled by the attackers. This injected code was then responsible for directing the intended victims (and only the intended victims) to the exploit server, through several other domains controlled by the attacker.

Malicious code is injected into the hacked website, loading more javascript than nifty ban[.]com
Zoom / Malicious code is injected into the hacked website, loading more javascript than nifty ban[.]com


Once the victim reaches the exploit server, Candiru collects more information. A victim’s browser profile, consisting of about 50 data points, is collected and sent to the attackers. The information collected includes the victim’s language, time zone, screen information, device type, browser plug-ins and references, device memory, cookie functionality and more. We assume this was done to further protect the vulnerability and ensure that it only reaches its intended victims. If the data collected satisfies the exploit server, it uses RSA-2048 to exchange an encryption key with the victim. This encryption key is used with AES-256-CBC to create an encrypted channel through which zero-day exploits are delivered to the victim. This encrypted channel is set up over TLS, to effectively hide vulnerabilities even from those who are going to decrypt a TLS session in order to capture normal HTTP traffic.

Despite efforts to keep CVE-2022-2294 secret, Avast was able to recover the attack code, which exploited WebRTC’s heap flow to execute malicious shellcode within a view. The recovery allowed Avast to identify the vulnerability and report it to developers so that it can be fixed. The security company was unable to obtain the separate zero-day exploit that was required so that the first exploit could escape sandboxing in Chrome. This means that this second zero day will live to fight another day.

Once DevilsTongue was installed, I tried to elevate its system privileges by installing a Windows driver that contained another unpatched vulnerability, bringing the number of zero days exploited in this campaign to at least three. Once the anonymous driver is installed, DevilsTongue will exploit the vulnerability to gain access to the kernel, the most sensitive part of any operating system. Security researchers call this technology BYOVD, short for “Bring Your Vulnerable Driver.” It allows malware to defeat the operating system’s defenses since most drivers can automatically gain access to the operating system’s kernel.

Avast has reported the bug to the driver maker, but there is no indication of a patch version. As of the time of publication, only Avast and one other antivirus engine have detected the driver exploit.

Since both Google and Microsoft patched CVE-2022-2294 in early July, it is likely that most Chrome and Edge users are already protected. However, Apple fixed the vulnerability on Wednesday, which means Safari users should make sure their browsers are up to date.

“Although there is no way for us to know whether or not the WebRTC vulnerability has been exploited by other groups, it is a possibility,” Wojciek wrote. “Sometimes Zero Days are detected independently by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that another group is exploiting the same Zero Day.”

Leave a Reply

%d bloggers like this: