Google has linked zero-day exploits in its flagship browsers Chrome, Mozilla Firefox, and Microsoft Defender to spyware products developed by Spanish company Variston IT, which has established itself as a vendor of custom cybersecurity solutions.
According to researchers in Google’s Threat Analysis Group (TAG), Variston IT “exploited an n-day vulnerability in Chrome, Firefox, and Microsoft Defender with a series of web frames that provide all the tools needed for deployment. I am developing a Heliconia framework which is a work but not advertised payload to the target device.
Google’s research Based on three anonymous bugs reported to the company, along with the source code for three frameworks called Heliconia Noise, Heliconia Soft, and Files, it shows Variston IT as the developer.
The Heliconia Noise web framework is used to deploy exploits for Chrome renderer bugs that allow attackers to execute code remotely, escape the application sandbox and run malware. The Chrome renderer exploit exists in popular web browser versions 90.0.4430.72 (April 2021) through 91.0.4472.106 (June 2021).
Heliconia Soft and File address exploits in Microsoft Defender (PDF-driven) and Linux- and Windows-based Firefox vulnerabilities, respectively. Specifically, Heliconia Soft can be used to exploit CVE-2021-42298 present in Microsoft Defender Malware Protection’s JavaScript engine. Simply by submitting a malicious PDF file, you can exploit CVE-2021-42298 and give an attacker system privileges. This is because Defender automatically scans all incoming files.
see next: Massachusetts DPH sued for forcibly installing spyware on 1 million Android devices
Heliconia Files contained a documented exploit chain for the Firefox vulnerability CVE-2022-26485 (remote code execution) on Windows and Linux clients (versions 64 to 68). The Heliconia Files package has likely been used since at least 2019 to exploit the RCE vulnerability, and probably since December 2018, when the bug became publicly known and patched in March 2022. It may have been in use for more than three years before the
Google, Microsoft, and Mozilla have fixed the vulnerabilities in their respective products by early 2022. Google has not detected any active exploits so far.
Attackers can use tools like Heliconia to target individuals and organizations. A Meta survey earlier this year revealed that private sector surveillance is a huge and growing field. 50,000 users in 100 countries Spyed on in 2021.
Google TAG researchers Clement Lecigne and Benoit Sevens said:
“The growth of the spyware industry puts users at risk and makes the Internet less secure. It is often used in harmful ways to conduct espionage.”
The US government has banned NSO Group and Candiru, developers of the notorious Pegasus spyware, on the US Department of Commerce Entity List for their role in enabling spyware operations. Given that Google found no evidence of active abuse, it’s unclear if Variston IT will be on the entity list.
However, the findings point to cases of affected companies suing Variston IT, alleging that the Spanish company’s products could be used for espionage and cyberattacks.
Conversely, the same logic can be applied to Google, whose entire ad tech business is based on tracking. Regulators should configure the definition of spyware and decide whether it applies to ad tech telemetry. Of course, some parts of it are used to refer to cybercrime.
Please let me know if you enjoyed reading this news LinkedIn, twitterAlso Facebook. I look forward to hearing from you.
Image Source: Shutterstock
