Chrome, Defender and Firefox 0-days linked to commercial IT company in Spain
Chrome, Defender and Firefox 0-days linked to commercial IT company in Spain
Zoom
Getty Images
Google researchers said Wednesday they have linked a Barcelona, Spain-based IT company to the sale of advanced software frameworks that exploit vulnerabilities in Chrome, Firefox and Windows Defender.
Variston IT markets itself as a provider of bespoke information security solutions, including technology for integrated SCADA (supervisory control and data acquisition) integrators and the Internet of Things, security patches customized for proprietary systems, data discovery tools, security training, and development of secure protocols for embedded devices. According to a report from Google's Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to surreptitiously install malware on devices. he wants to spy on.
Researchers Clément Lecigne and Benoit Sevens said that exploit frameworks are used to exploit n-day vulnerabilities, which are those that have been patched recently enough that some targets have not yet installed them. The evidence suggests, they added, that the frameworks were also used when the vulnerabilities were zero days. The researchers are disclosing their findings in an effort to disrupt the spyware market, which they say is booming and poses a threat to various groups.
"TAG's research highlights that the commercial surveillance industry is thriving and has grown significantly in recent years, creating risks for internet users worldwide," they wrote. "Commercial spyware puts advanced surveillance capabilities into the hands of governments who use it to spy on journalists, human rights activists, political opposition and dissidents."
The researchers then listed the frameworks, which they received from an anonymous source through Google's Chrome bug reporting program. Each came with instructions and an archive containing the source code. The frameworks were called Heliconia Noise, Heliconia Soft and Files. The frameworks contained "mature source code capable of deploying exploits for Chrome, Windows Defender, and Firefox, respectively".
The Heliconia Noise framework included code to sanitize binaries before they were produced by the framework to ensure that they did not contain strings that could incriminate developers. As the image of the cleanup script shows, the list of bad strings included "Variston".
Enlarge
Google
Variston officials did not respond to an email seeking comment on this post.
The frameworks exploited vulnerabilities that Google, Microsoft, and Firefox patched in 2021 and 2022. Heliconia Noise included both an exploit for the Chrome renderer, as well as an exploit to evade the Chrome security sandbox , which is designed to contain untrusted code. in a protected environment that cannot access sensitive parts of an operating system. Because the vulnerabilities were discovered internally, there are no CVE designations.
Heliconia Noise can be configured by the customer to set things like the maximum number of times to deliver exploits, an expiration date, and rules specifying when a visitor should be considered a valid target.
>
Heliconia Soft included a booby-trapped PDF that exploited CVE-2021-42298, a bug in the Microsoft Defender Malware Protection JavaScript engine that was patched in November 2021. All you had to do was send the document to someone to gain coveted system privileges on Windows, as Windows Defender automatically scanned incoming files...
Google researchers said Wednesday they have linked a Barcelona, Spain-based IT company to the sale of advanced software frameworks that exploit vulnerabilities in Chrome, Firefox and Windows Defender.
Variston IT markets itself as a provider of bespoke information security solutions, including technology for integrated SCADA (supervisory control and data acquisition) integrators and the Internet of Things, security patches customized for proprietary systems, data discovery tools, security training, and development of secure protocols for embedded devices. According to a report from Google's Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to surreptitiously install malware on devices. he wants to spy on.
Researchers Clément Lecigne and Benoit Sevens said that exploit frameworks are used to exploit n-day vulnerabilities, which are those that have been patched recently enough that some targets have not yet installed them. The evidence suggests, they added, that the frameworks were also used when the vulnerabilities were zero days. The researchers are disclosing their findings in an effort to disrupt the spyware market, which they say is booming and poses a threat to various groups.
"TAG's research highlights that the commercial surveillance industry is thriving and has grown significantly in recent years, creating risks for internet users worldwide," they wrote. "Commercial spyware puts advanced surveillance capabilities into the hands of governments who use it to spy on journalists, human rights activists, political opposition and dissidents."
The researchers then listed the frameworks, which they received from an anonymous source through Google's Chrome bug reporting program. Each came with instructions and an archive containing the source code. The frameworks were called Heliconia Noise, Heliconia Soft and Files. The frameworks contained "mature source code capable of deploying exploits for Chrome, Windows Defender, and Firefox, respectively".
The Heliconia Noise framework included code to sanitize binaries before they were produced by the framework to ensure that they did not contain strings that could incriminate developers. As the image of the cleanup script shows, the list of bad strings included "Variston".
Enlarge
Google
Variston officials did not respond to an email seeking comment on this post.
The frameworks exploited vulnerabilities that Google, Microsoft, and Firefox patched in 2021 and 2022. Heliconia Noise included both an exploit for the Chrome renderer, as well as an exploit to evade the Chrome security sandbox , which is designed to contain untrusted code. in a protected environment that cannot access sensitive parts of an operating system. Because the vulnerabilities were discovered internally, there are no CVE designations.
Heliconia Noise can be configured by the customer to set things like the maximum number of times to deliver exploits, an expiration date, and rules specifying when a visitor should be considered a valid target.
>
Heliconia Soft included a booby-trapped PDF that exploited CVE-2021-42298, a bug in the Microsoft Defender Malware Protection JavaScript engine that was patched in November 2021. All you had to do was send the document to someone to gain coveted system privileges on Windows, as Windows Defender automatically scanned incoming files...
Zoom
Getty Images
Enlarge
Google
