Italian Spyware Vendor Exploits Chrome Zero-Day
Google’s Threat Analysis Group (TAG) has linked an Italian commercial spyware vendor, RCS Lab, to attacks that exploited a zero-day vulnerability in the Google Chrome web browser. These attacks were identified as targeting individuals in Italy and Kazakhstan. RCS Lab is the developer of a spyware tool known as “Hermit,” which has been observed in these campaigns. The company operates within the private-sector offensive actor (PSOA) industry, which provides surveillance tools to government-backed entities.
The campaign leveraged a high-severity Chrome zero-day vulnerability tracked as CVE-2022-2294. This specific flaw is a heap buffer overflow weakness found within Chrome’s WebRTC (Web Real-Time Communications) component. The attackers employed a drive-by-download method, where victims were sent a unique link. Upon visiting the link, their browser was redirected to a page designed to trigger the exploit without any further user interaction.
Attribution and Mitigation Measures
Once the initial vulnerability was exploited, the attack chain delivered a spyware payload to the victim’s device. This allowed the attackers to exfiltrate data and execute code remotely. Google TAG noted that the initial exploit page was designed to appear benign, sometimes as a legitimate-looking but blank page, to avoid suspicion.
Google’s researchers attributed the attacks to RCS Lab after discovering that the spyware payloads were signed with a code signing certificate issued to “RCS SpA.” Further evidence linking the campaign to the vendor included the use of unique network indicators that matched infrastructure previously associated with RCS Lab’s activities. In response to the discovery, Google released security updates to patch the vulnerability. The CVE-2022-2294 flaw was addressed in Chrome version 103.0.5060.71, which was released on July 4, 2022. Google also took steps to notify all Android users who were confirmed targets of the Hermit spyware campaign.
Concise Cyber 