Google Accuses Spanish Security Firm of Developing Exploit Tools for Chrome And Microsoft Defender
Variston IT develops but doesn’t advertise Heliconia, a web framework that exploits vulnerabilities in Chrome, Firefox and Microsoft Defender.
Google associated zero-day exploits in its flagship browser Chrome, Mozilla Firefox and Microsoft Defender to spyware products developed by a Spanish firm, Variston IT, that positions itself as a custom cybersecurity solutions vendor.
According to researchers at Google’s Threat Analysis Group (TAG), Variston IT develops but doesn’t advertise Heliconia framework, a series of web frameworks that “exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device.”
Google’s research is based on three anonymous bugs reported to the company alongside the source code of three frameworks, dubbed Heliconia Noise, Heliconia Soft and Files, which indicated Variston IT as the developer.
The Heliconia Noise web framework is used for deploying an exploit for a Chrome renderer bug that enables an attacker to execute code remotely and escape the application sandbox to execute malware. The Chrome renderer exploit exists in versions 90.0.4430.72 (April 2021) to 91.0.4472.106 (June 2021) of the popular web browser.
Heliconia Soft and File cater to vulnerability exploitation in Microsoft Defender (PDF-driven) and Linux- and Windows-based Firefox, respectively. Specifically, Heliconia Soft can be used to exploit CVE-2021-42298 which existed in the JavaScript engine of Microsoft Defender Malware Protection. Just sending a malicious PDF file is enough to exploit CVE-2021-42298 and grant the attacker system privileges because Defender automatically scans all incoming files.
See More: Massachusetts DPH Sued for Forcefully Installing Spyware on One Million Android Devices
Heliconia Files contained a documented exploit chain for Firefox vulnerability CVE-2022-26485 (remote code execution) in its Windows and Linux clients (versions 64 to 68). The Heliconia Files package could have been used to exploit the RCE flaw since at least 2019, and probably since December 2018, more than three years before the bug was publicly known and patched in March 2022.
Google, Microsoft and Mozilla fixed respective product vulnerabilities by early 2022. Google hasn’t detected any active exploitation so far.
Tools such as Heliconia can be leveraged by threat actors to target individuals and organizations. Meta’s investigation earlier this year revealed that surveillance of the private sector is a huge and growing area and identified 50,000 users from 100 countries that were spied upon in 2021.
“TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise,” Google TAG researchers Clement Lecigne and Benoit Sevens noted.
“The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups.”
The U.S. government has banned the infamous developer of the Pegasus spyware, NSO Group, and Candiru, both in the U.S. Department of Commerce’s Entity List, for their role in enabling spyware operations. It is unclear whether Variston IT will make it to the Entity List, given Google found no evidence of active exploitation.
The findings do, however, make a case for the affected companies to sue Variston IT on the ground that the Spanish company’s product could be used for espionage or cyber attacks.
Conversely, the same logic could also be applied to Google, whose entire ad tech business is based on tracking. The onus is on regulators to constitute the definition of spyware and whether it applies to ad tech telemetry, besides, of course, the part where it is used to refer to cybercrime.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON CYBERSECURITY
