Google researchers said Wednesday they have linked an IT company based in Barcelona, Spain, to selling advanced software frameworks that exploit vulnerabilities in Chrome, Firefox and Windows Defender.
Variston IT bills itself as a provider of tailor-made information security solutions, including technology for embedded SCADA (supervisory control and data acquisition) and IoT integrators, custom security patches for proprietary systems, data discovery tools, security training and development of secure protocols for built-in devices. According to a report from the Google Threat Analysis Group, Variston sells another product that isn’t listed on its website: software frameworks that provide everything a customer needs to secretly install malware on devices they want to spy on.
Researchers Clement Lecigne and Benoit Sevens reported that exploit frameworks were used to exploit n-day vulnerabilities, which are those that have been patched recently enough that some targets have not yet installed them. Evidence suggests, they added, that the frameworks were also used when the vulnerabilities were zero days old. The researchers are releasing their findings in an effort to disrupt the spyware market, which they say is booming and posing a threat to various groups.
“TAG’s research underscores that the commercial surveillance industry is booming and has expanded significantly in recent years, posing a risk to Internet users worldwide,” they wrote. “Commercial spyware puts advanced surveillance capabilities in the hands of governments, which use them to spy on journalists, human rights activists, political opposition and dissidents.”
The researchers went on to catalog the frames they received from an anonymous source through Google’s Chrome bug reporting program. Each one came with instructions and an archive containing the source code. The frames came with the names Heliconia Noise, Heliconia Soft and Files. The frameworks contained “mature source code capable of deploying exploits for Chrome, Windows Defender, and Firefox.”
Within Heliconia Noise, code was included to clean binaries before they were created by the framework to ensure they did not contain strings that could incriminate the developer. As the image of the cleanup script shows, the list of bad strings included “Variston”.
Variston officials did not respond to an email seeking comment for this post.
These frameworks exploited vulnerabilities that were patched by Google, Microsoft, and Firefox in 2021 and 2022. Heliconia Noise included a Chrome rendering exploit along with an exploit to escape Chrome’s security sandbox, which is designed to keep untrusted code contained in a protected environment that does not have access to sensitive parts of the operating system. Because the vulnerabilities were discovered internally, there are no CVE designations.
Heliconia Noise can be configured by the customer to set things like the maximum number of exploit impressions, expiration date, and rules determining when a visitor should be considered a valid target.
The Files framework contained a fully documented chain of exploits for Firefox running on Windows and Linux. It exploits CVE-2022-26485, an unused vulnerability that Firefox patched last March. The researchers said Files likely exploited the code execution vulnerability since at least 2019, long before it was publicly known or patched. It worked against Firefox versions 64 to 68. The Sandbox escape files they relied on were patched in 2019.
The researchers painted a picture of an exploitation market that is increasingly out of control. They wrote:
TAG’s research has shown the rise of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities previously only available to governments with deep pockets and technical know-how. The growth of the spyware industry puts users at risk and makes the internet less secure, and although surveillance technologies may be legal under national or international laws, they are often used in malicious ways to conduct digital espionage against a range of groups. These exploits pose a serious risk to online security, which is why Google and TAG will continue to take action against and publish research on the commercial spyware industry.
Variston joins other exploit vendors, including NSO Group, Hacking Team, Accuvant, and Candir.
#Chrome #Defender #Firefox #0days #linked #commercial #company #Spain