Former offices of Candiru, according to the Canadian NGO Citizen Lab.
Journalists from a Lebanese news agency have been targeted by one of Candiru’s spyware programs, publisher Avast has just reported. If this Czech antivirus company does not know the reasons for this surveillance, it generally specifies that spying on journalists allows attackers to discover their sources, to know their work themes or to collect sensitive data.
The very discreet company Candiru, also known as Saito Tech, is one of the prominent firms, along with NSO Group, in the Israeli cyber-surveillance industry. Two companies that share several shareholders and founders. According to the Canadian NGO Citizen Lab, Candiru’s offer, aimed at state clients, ranges from spying on computers to mobile devices and cloud computing.
A new campaign detected in the spring
The spyware manufacturer is thus suspected of having succeeded in selling its products in Saudi Arabia, the United Arab Emirates, Qatar, Singapore and even Uzbekistan. If the company has been a little less talked about lately, it was not dormant, far from it. Or the time needed, speculates Avast, to launch new, more stealthy features.
But the antivirus publisher, through the voice of its researcher Jan Vojtešek, indicates that it spotted a campaign in the spring that targeted users of one of its solutions in Lebanon, Turkey, Yemen and Palestine. “We think the attacks were very targeted,” says the malware specialist.
One of the modes of attack was based on a subtle sequence of malicious actions. First, the attacker compromised a website used by employees of the targeted Lebanese news agency. This site was to allow the victims, precisely filtered, to be redirected to a server.
Then, thanks to an unknown flaw (CVE-2022-2294) in Google Chrome, a buffer overflow in WebRTC, attackers could launch an executable triggering the installation of the spyware, DevilsTongue. A classic spyware, noted Microsoft, which also has a function to monitor Signal conversations.
Wider impact
As Avast reminds us, the zero-day flaw used to trick Chrome had a much broader impact. It affected Chromium-based browsers, such as Microsoft Edge or Avast Secure Browser, but also Apple’s Safari. So many companies that have released patches since the beginning of July. Chrome users must, for example, accept the restart of the software to complete its update.