top of page

Spyware company Candiru is back in the hot seat

Avast recently disclosed it had discovered a zero-day vulnerability in Google Chrome, which it attributes to the Israeli company

Illustration: Bigstock / Copyright: PavelMuravev
Illustration: Bigstock / Copyright: PavelMuravev

Israeli surveillance tech is garnering headlines once again. Czech Cybersecurity company Avast recently disclosed it had discovered a zero-day vulnerability in Google Chrome, which was exploited in the wild in an attempt to attack company users in the Middle East. Avast “confidently” attributes this to Israeli secretive spyware vendor Candiru.

In a new report, Avast Threat Labs author Jan Vojtěšek notes that following Candiru’s exposure by Microsoft and Citizenlab in July 2021, it laid low for a while, “most likely taking its time to update its malware and evade existing detection.” It was spotted again in March 2022, “targeting Avast users located in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks using zero-day exploits for Google Chrome.

“We believe the attacks were highly targeted,” he added.

The report mentions that there have been multiple attack campaigns, each targeting the victim in its own way. Thus, for example, the attackers seem to have compromised a news agency website in Lebanon. Avast’s researchers could not confirm the reason, though, believing this target was chosen to either spy on the journalists themselves or on their sources.

The exploit, while specifically designed for Chrome on Windows, has a much wider vulnerability potential. “Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge), but also difference browsers like Apple’s Safari”. Google patched the vulnerability earlier this month.

In November 2021, the US Department of Commerce added Candiru (which, by the way, is named after an Amazonian parasitic fish), along with fellow Israeli company NSO group and two other companies (from Russian and Singapore) to its Entity List (blacklist), citing “malicious cyber activities” as the reason.

Clients of NSO Group’s spyware, Pegasus, have also been accused of targeting journalists, including Saudi journalist Jamal Khashoggi.

Both NSO and Candiru have been major sponsors of the ISS world conferences – super secret, media-free events which bring together members of law enforcement, intelligence, security analysts, financial crime investigators and others, and is known as the “spy ball”.

According to the June 2022 conference’s official schedule, a Candiru representative gave a lecture titled “Modern security challenges: Staying stealthy and understanding the cyber landscape threats, utilizing a holistic operational security approach.”

Earlier this month, Apple announced it would try to combat spyware by launching Lockdown Mode, which “offers an extreme, optional level of security for the very few users who…may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware.”

89 views0 comments
bottom of page