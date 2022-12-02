



Google has linked zero-day exploits in its flagship browsers Chrome, Mozilla Firefox, and Microsoft Defender to spyware products developed by Spanish company Variston IT, which has established itself as a vendor of custom cybersecurity solutions.

According to Google’s Threat Analysis Group (TAG) researchers, Variston IT exploited n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender and provided all the tools necessary to deploy a payload. I’m developing the Heliconia framework, a web framework for , but I’m not promoting it. Target device.

Google’s research is based on three anonymous bugs reported to the company, along with source code for three frameworks called Heliconia Noise, Heliconia Soft, and Files that indicate Variston IT was the developer.

The Heliconia Noise web framework is used to deploy exploits for Chrome renderer bugs that allow attackers to execute code remotely, escape the application sandbox and run malware. The Chrome renderer exploit exists in popular web browser versions 90.0.4430.72 (April 2021) through 91.0.4472.106 (June 2021).

Heliconia Soft and File address exploits in Microsoft Defender (PDF-driven) and Linux- and Windows-based Firefox vulnerabilities, respectively. Specifically, Heliconia Soft can be used to exploit CVE-2021-42298 present in Microsoft Defender Malware Protection’s JavaScript engine. Simply by submitting a malicious PDF file, you can exploit CVE-2021-42298 and give an attacker system privileges. This is because Defender automatically scans all incoming files.

Heliconia Files contained a documented exploit chain for the Firefox vulnerability CVE-2022-26485 (remote code execution) on Windows and Linux clients (versions 64 to 68). The Heliconia Files package has likely been used since at least 2019 to exploit the RCE vulnerability, and probably since December 2018, when the bug became publicly known and patched in March 2022. It may have been in use for more than three years before the

Google, Microsoft, and Mozilla have fixed the vulnerabilities in their respective products by early 2022. Google has not detected any active exploits so far.

Attackers can use tools like Heliconia to target individuals and organizations. A Metas survey earlier this year revealed that private sector surveillance is a huge and growing field, identifying her 50,000 users in 100 countries to be spied on in 2021.

TAG’s research shows a surge in commercial surveillance and the extent to which commercial spyware vendors have developed capabilities previously available only to governments with deep funding and technical expertise, said Google TAG researchers. Some Clement Lecigne and Benoit Sevens said:

The growth of the spyware industry puts users at risk and makes the Internet less secure. Surveillance technology may be legal under national or international law, but it is often used in detrimental ways to conduct digital espionage against various groups.

The US government has banned NSO Group and Candiru, developers of the notorious Pegasus spyware, on the US Department of Commerce Entity List for their role in enabling spyware operations. Given that Google found no evidence of active abuse, it’s unclear if Variston IT will be on the entity list.

However, the findings point to cases of affected companies suing Variston IT, alleging that the Spanish company’s products could be used for espionage and cyberattacks.

Conversely, the same logic can be applied to Google, whose entire ad tech business is based on tracking. Regulators should configure the definition of spyware and decide whether it applies to ad tech telemetry. Of course, some parts of it are used to refer to cybercrime.

