Google Links Exploitation Frameworks to Spanish Spyware Vendor Variston


Google's Threat Analysis Group (TAG) has linked three exploitation frameworks, as well as several vulnerabilities that were likely used as zero-days at some point, to a Spanish commercial spyware vendor named Variston.

Google’s Threat Analysis Group (TAG) has linked three exploitation frameworks, as well as several vulnerabilities that were likely used as zero-days at some point, to a Spanish commercial spyware vendor named Variston.

On its website, Variston says it provides custom security solutions. The Barcelona-based company offers security products and custom patches for embedded systems, including industrial control systems (ICS) and IoT. It also offers data discovery services and training.

Google became aware of Variston’s products after receiving an anonymous submission in the Chrome bug bounty program. The reporter provided information on three vulnerabilities and the analysis of the reports led TAG researchers to Variston.

Google has identified three different exploitation frameworks designed for deploying exploits: Heliconia Noise, a web framework for deploying Chrome exploits; Heliconia Soft, a web framework that deploys a Windows Defender exploit via a PDF file; and Heliconia Files, which contains Firefox exploits for Windows and Linux.

Heliconia Noise is described in a manifest file as a “1-click full chain for Google Chrome without persistence reaching medium integrity”. Google says it can be used to deliver a Chrome renderer exploit, followed by a sandbox escape and agent installation in the post-exploitation stage. The victim needs to access a malicious webpage to trigger the first-stage exploit.

A vulnerability allowing the renderer exploit was patched in August 2021, but it was not assigned a CVE identifier as it was internally found by Google.

Heliconia Soft is designed to exploit CVE-2021-42298, a Microsoft Defender remote code execution vulnerability patched in November 2021. The framework is described as a “Windows Chrome & Chromium Edge 1-click chain without persistency reaching SYSTEM integrity”.

When the victim downloads a specially crafted PDF file, Windows Defender scans it, thus triggering the exploit.

As for Heliconia Files, it delivers a Firefox exploit chain for Windows and Linux. It leverages CVE-2022-26485 for remote code execution, which Mozilla patched with an emergency Firefox update in March 2022 after learning about its existence from Chinese cybersecurity firm Qihoo 360. A sandbox escape vulnerability affecting Firefox for Windows was addressed without a CVE in September 2019.

While the exploits delivered by the Heliconia frameworks are now patched, they were all likely used as zero-days before Google, Mozilla and Microsoft learned of their existence and released fixes. The Firefox remote code execution flaw, for instance, is believed to have been exploited by the Variston product since at least 2019.

“TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise. The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups,” Google said.

This is not the first commercial spyware vendor whose activities and tools have been analyzed by Google. The company has also published reports on Israel-based NSO Group and Italy-based RCS Lab.

Google was also informed recently by Avast about a Chrome zero-day vulnerability exploited by Israel-based spyware vendor Candiru.


By Eduard Kovacs on Wed, 30 Nov 2022 12:57:10 +0000
Original link