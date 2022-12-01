Home Zero-days in Firefox, Chrome and Windows are used to spread malware
Cybersecurity researchers from Google’s Threat Analysis Group (TAG) say a commercial company from Spain has developed an exploit network (opens in new tab) for Windows, Chrome, and Firefox, and probably sold to government agencies at some point in the past.

In a blog post published earlier this week, the TAG team says a Barcelona-based company called Variston IT is likely connected to the Heliconia framework, which exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. (opens in new tab). It also says that the company has probably provided all the tools necessary to deploy a payload to a target endpoint (opens in new tab)

No active exploits

All affected companies had fixed the vulnerabilities exploited through the Heliconia framework in 2021 and early 2022, and since TAG found no active exploits, the framework was most likely used on zero days. But to fully protect against Heliconia, TAG recommends all users to keep their software up to date.

Google was first made aware of Heliconia through an anonymous submission to Chrome (opens in new tab) bug reporting program. The submitter added three bugs, each with instructions and an archive of the source code. They were called “Heliconia Noise”, “Heliconia Soft”, and “Files”. Further analysis revealed that they contained “frameworks for deploying exploits in the wild” and that the source code pointed to Variston IT.

Heliconia Noise is described as a framework for implementing an exploit for a Chrome renderer bug followed by a sandbox escape. Heliconia Soft, on the other hand, is a web framework that implements a PDF with an exploit for Windows Defender, while Files is a set of Firefox (opens in new tab)

exploits found on both Windows and Linux.

Given that the Heliconia exploit works on Firefox versions 64 – 68, it was probably in use in late 2018, Google suggests.

Ralf Wegner, Variston’s IT director, told TechCrunch that the company was not aware of Google’s research and could not validate the findings, but added that he “would be surprised if such an asset were found in the wild.” are being found”.

Commercial spyware (opens in new tab) is a growing industry, Google says, adding that it will not stand idly by as these entities sell exploits of vulnerabilities to governments who later use it to target political opponents, journalists, human rights activists and dissidents.

Perhaps the most famous example is the Israel-based NSO Group and its Pegasus spyware, which landed the company blacklisted in the United States.

Through: TechCrunch (opens in new tab)

