Cybersecurity researchers from Google’s Threat Analysis Group (TAG) say a commercial company from Spain has developed a exploitation network (Opens in a new tab) for Windows, Chrome, and Firefox, and you’ve likely sold it to government agencies sometimes in the past.
In a blog post published earlier this week, the TAG team said that a Barcelona-based company called Variston IT is likely linked to the Heliconia framework, which exploits back-to-day vulnerabilities in Chrome, Firefox and Google Chrome. Microsoft Defender (Opens in a new tab). It also says that the company has likely provided all the tools needed to deploy the payload on the target End point (Opens in a new tab).
Do not activate exploits
All affected companies fixed vulnerabilities exploited by the Heliconia framework in 2021 and early 2022, and given that TAG found no active exploits, the framework was most likely used in zero days. However, to fully protect against Heliconia, TAG suggests all users to keep their software up-to-date.
Google was first alerted to Heliconia via an anonymous submission to Chrome (Opens in a new tab) Bug reporting program. Whoever submitted the submission added three bugs, each with instructions and an archive with source code. They were called “Heliconia Noise”, “Heliconia Soft”, and “Files”. Further analysis showed that it contains “frameworks for deploying exploits in the wild” and that the source code refers to Variston IT.
Heliconia Noise is described as a framework for spreading a vulnerability for a bug in the Chrome renderer, followed by the possibility of escaping from the sandbox. On the other hand, Heliconia Soft is a web framework that publishes a PDF containing an exploit for Windows Defender, while the files are a collection of Fire Fox (Opens in a new tab) Exploits have been found on both Windows and Linux.
Given the fact that the Heliconia exploit runs on Firefox versions 64-68, it was likely in use in late 2018, as Google suggests.
Speaking to TechCrunch, Variston CIO Ralf Wegner said the company wasn’t aware of Google’s research and couldn’t verify the results, but added that he “would be surprised if this item was found in the wild.”
commercial Spying programs (Opens in a new tab) is a growing industry, says Google, adding that it will not stand by as these entities sell vulnerabilities to governments who then use them to target political opponents, journalists, human rights activists, and dissidents.
Perhaps the most famous example of this is the Israel-based NSO Group and its Pegasus spyware, which has put the company on a US blacklist.
Across: Techcrunch (Opens in a new tab)