A zero-day vulnerability in Google’s Chrome web browser was discovered on July 1 when it was used to target journalists in the Middle East, according to cybersecurity company Avast. The majority of the attacks took place in Lebanon.
“Based on the malware and TTPs used to carry out the attack, we can confidently attribute it to a secretive spyware vendor of many names, most commonly known as Candiru,” Avast wrote.
Also known as SAITO Tech, Candiru is an Israeli technology company that creates cyberespionage systems, often for governmental clients, including the Israeli Ministry of Defense. The company has been blacklisted by the US government for its behavior that was allegedly harmful to national security.
“The reason why attackers go after journalists is to spy on them and the stories they’re working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press.”
Avast
Cyberattacks targeted Middle East journalists
The cyberattacks in Lebanon allegedly compromised a website that journalists frequented, according to Avast. Although Candiru’s motives were unclear, “the reason why attackers go after journalists is to spy on them and the stories they’re working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press,” the cybersecurity firm explained.
It is important to point out that Hezbollah often operates under the guise of journalists. Al Manar, for example, is a media outlet that is run by Hezbollah and was designated as a terror entity by the United States back in 2006.
In addition to Lebanon, the attacks occurred in Turkey, Yemen and the Palestinian territories. Avast claimed that Candiru returned with an updated set of tools in March after a period of minimal activity dating back to July 2021, when its activity was exposed by Microsoft and CitizenLab.
By using the zero-day vulnerability that could not be detected by the browser, the attackers compromised websites and created sites specifically for their purposes, Android Police described. Users fell victim to the ploy simply by opening one of these sites.
Important data obtained by cyberattacks
Those affected had their browser-based sensitive data hijacked, including up to 50 datapoints such as language, cookies, device type and time zone, according to Android Police. Furthermore, Apples Safari web browser was vulnerable to the attacks as well, although Avast saw that only Windows devices were affected.
That Candiru’s attacks were detected emphasizes the value of cybersecurity firms that look out for mercenary spyware, Bill Marczak, a member of CitizenLab’s investigation into the company, said. “At least five security companies, including Avast, have detected, burned, and published on Candiru attacks directed against their customers running Microsoft Windows. “Candiru also appears to maintain capabilities against mobile phones, but none of these has been detected, as far as we know.”
Google remedied the situation with a Chrome update on July 4, but those who have not updated their browser are still at risk.
In response to the report, Candiru issued the following statement: "Candiru is operated under a strict license from the Defense Export control Agency (DECA) in the Israeli Ministry of Defense. Candiru’s product is allowed to be used only to prevent terror and major crimes. The product is sold only to governments. Candiru’s product do not posses the capability of hacking into websites and Candiru does not sell or provide such an ability".