Zero-day used to infect Chrome users could pose threat to Edge and Safari users, too

A secretive seller of cyberattack software recently exploited a previously unknown Chrome vulnerability and two other zero-days in campaigns that covertlyinfecting journalists and other targets with sophisticated spyware.

Web Real-Time Communications is an open source project that provides Javascript programming interface to enable real-time voice, text, and video communications between web browsers and devices. After researchers from security firm Avast privately notified the company it was being exploited in watering hole attacks, the flaw was patched by the internet giant. Both Microsoft and Apple have patched the same flaw.

The exploit was delivered in its own way to Chrome users in Lebanon, Turkey, Yemen, and Palestine, according to the company. The watering hole sites were verychoosy about which visitors they wanted to get sick from. Once the watering hole sites were able to exploit the vulnerability, they were able to install a new type of malicious software called Candiru.

A website used by employees of a news agency in Lebanon has been compromised, according to a researcher. "We can't say for certain what the attackers might have been after, however often the reason why attackers go after journalists is to spy on them and the stories they're working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press

According to Vojtek, Candiru had been lying low since last July. The company came back from the shadows in March with an update. The watering hole site took pains in selecting only certain visitors and in preventing its precious zero-day vulnerabilities from being discovered by researchers.

Vojtek was writing.

Interestingly, the compromised website contained artifacts of persistent XSS attacks, with there being pages that contained calls to the Javascript function alert along with keywords like "test." We suppose that this is how the attackers tested the XSS vulnerability, before ultimately exploiting it for real by injecting a piece of code that loads malicious Javascript from an attacker-controlled domain. This injected code was then responsible for routing the intended victims (and only the intended victims) to the exploit server, through several other attacker-controlled domains.

Once the victim gets to the exploit server, Candiru gathers more information. A profile of the victim’s browser, consisting of about 50 data points, is collected and sent to the attackers. The collected information includes the victim’s language, timezone, screen information, device type, browser plugins, referrer, device memory, cookie functionality, and more. We suppose this was done to further protect the exploit and make sure that it only gets delivered to the targeted victims. If the collected data satisfies the exploit server, it uses RSA-2048 to exchange an encryption key with the victim. This encryption key is used with AES-256-CBC to establish an encrypted channel through which the zero-day exploits get delivered to the victim. This encrypted channel is set up on top of TLS, effectively hiding the exploits even from those who would be decrypting the TLS session in order to capture plaintext HTTP traffic.

The attack code was recovered despite the attempts to keep it secret. The vulnerability was identified by the recovery and reported to developers so that it could be fixed. The first exploit was able to escape the security sandbox because the security firm was unable to get a separate zero-day exploit. This will live to fight another day.

The number of zero days exploited in this campaign to at least three was brought about by the installation of a Windows driver containing an unpatched vulnerability. The most sensitive part of any operating system would be gained access to byDevilsTongue once the driver was installed. "Bring your own vulnerable driver" is a security technique called BYOVD. Most drivers have access to an OS kernel, so they can be used to defeat OS defences.

There is no indication that a patch for the flaw has been released. The driver exploit was detected by only two engines.

Chances are good that most of the users of the browsers are protected. Safari users should make sure their browsers are up to date now that Apple has fixed the vulnerability.

Vojtek wrote that it is possible that the vulnerability was exploited by other groups. We don't know if there is another group exploiting the same zero-day.