A secretive seller of cyberattack software recently exploited a previously unknown Chrome vulnerability and two other zero-days in campaigns that covertly infected journalists and other targets with sophisticated spyware, security researchers said.
CVE-2022-2294, as the vulnerability is tracked, stems from memory corruption flaws in Web Real-Time Communications, an open source project that provides JavaScript programming interfaces to enable real-time voice, text, and video communications capabilities between web browsers and devices. Google patched the flaw on July 4 after researchers from security firm Avast privately notified the company it was being exploited in watering hole attacks, which infect targeted websites with malware in hopes of then infecting frequent users. Microsoft and Apple have since patched the same WebRTC flaw in their Edge and Safari browsers, respectively.
Avast said on Thursday that it uncovered multiple attack campaigns, each delivering the exploit in its own way to Chrome users in Lebanon, Turkey, Yemen, and Palestine. The watering hole sites were highly selective in choosing which visitors to infect. Once the watering hole sites successfully exploited the vulnerability, they used their access to install DevilsTongue, the name Microsoft gave last year to advanced malware sold by an Israel-based company named Candiru.