Google researchers said on Wednesday they had linked a Barcelona, Spain-based IT company to the sale of advanced software frameworks that exploit vulnerabilities in Chrome, Firefox and Windows Defender.
Variston IT presents itself as a provider of tailor-made information security solutions, including technology for integrated SCADA (supervisory control and data acquisition) integrators and the Internet of Things, personalized security patches for proprietary systems, data discovery tools, security training and development of secure protocols for embedded devices. According to a report from Google’s Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to surreptitiously install malware on devices. he wants to spy on.
Researchers Clément Lecigne and Benoit Sevens said exploit frameworks are used to exploit n-day vulnerabilities, which are ones that have been patched recently enough that some targets haven’t yet installed them. The evidence suggests, they added, that the frameworks were also used when the vulnerabilities were zero days. The researchers are disclosing their findings in an effort to disrupt the spyware market, which they say is booming and poses a threat to various groups.
“TAG’s research underscores that the commercial surveillance industry is thriving and has grown significantly in recent years, creating risks for internet users around the world,” they wrote. “Commercial spyware puts advanced surveillance capabilities into the hands of governments who use it to spy on journalists, human rights activists, political opposition and dissidents.”
The researchers then listed the frameworks, which they received from an anonymous source through Google’s Chrome bug reporting program. Each came with instructions and an archive containing the source code. The frameworks were called Heliconia Noise, Heliconia Soft and Files. The frameworks contained “mature source code capable of deploying exploits for Chrome, Windows Defender, and Firefox, respectively.”
The Heliconia Noise framework included code to clean up binaries before they were produced by the framework to ensure they didn’t contain strings that could incriminate developers. As the image of the cleanup script shows, the list of bad strings included “Variston”.
Variston officials did not respond to an email seeking comment on the post.
The frameworks exploited vulnerabilities that Google, Microsoft, and Firefox patched in 2021 and 2022. Heliconia Noise included both an exploit for the Chrome renderer, as well as an exploit to evade the Chrome security sandbox, which is designed to keep untrusted code contained in a protected environment. environment that cannot access sensitive parts of an operating system. Because the vulnerabilities were discovered internally, there are no CVE designations.
Heliconia Noise can be configured by the customer to set things like the maximum number of times to serve exploits, an expiration date, and rules specifying when a visitor should be considered a valid target.
Heliconia Soft included a booby-trapped PDF file that exploited CVE-2021-42298, a bug in the Microsoft Defender Malware Protection JavaScript engine that was patched in November 2021. Simply sending the document to someone was enough to get coveted system privileges on Windows as Windows Defender automatically scanned incoming files.
The Files framework contained a fully documented exploit chain for Firefox running on Windows and Linux. It exploits CVE-2022-26485, a use-after-release vulnerability that Firefox patched last March. The researchers said Files had likely exploited the code execution vulnerability since at least 2019, long before it was publicly known or patched. This worked with Firefox versions 64-68. The sandbox escape files relied on were fixed in 2019.
Researchers have painted a picture of an exploitative market growing out of control. They wrote:
TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise. The growth of the spyware industry puts users at risk and makes the internet less secure, and although surveillance technology may be legal under national or international laws, it is often used in harmful ways to conduct espionage. digital against a range of groups. These abuses pose a serious risk to online security, which is why Google and TAG will continue to take action against the commercial spyware industry and publish research about it.
Variston joins the ranks of other exploit vendors, including NSO Group, Hacking Team, Accuvant, and Candiru.
#Chrome #Defender #Firefox #0days #linked #commercial #company #Spain