Google researchers said on Wednesday they have linked an IT company based in Barcelona, Spain, to selling advanced software frameworks that exploit vulnerabilities in Chrome, Firefox and Windows Defender.
Variston IT bills itself as a provider of tailor-made information security solutions, including embedded SCADA (Supervisory Control and Data Acquisition) technology and IoT integrators, custom security patches for proprietary systems, data discovery tools, security training, and development of secure protocols for embedded devices. . According to a report by Google’s Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to surreptitiously install malware on the devices they want to spy on.
Researchers Clement Lecigne and Benoit Sevens said exploit frameworks were used to exploit vulnerabilities back in the day, ones that were patched recently enough that some targets have yet to install them. They added that evidence indicates that the frameworks were also used when the vulnerabilities were zero days. The researchers reveal their findings in an effort to disrupt the spyware market, which they said is thriving and poses a threat to various groups.
“TAG research confirms that the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risks for internet users around the world,” they wrote. “Commercial spyware puts advanced surveillance capabilities in the hands of governments who use it to spy on journalists, human rights activists, political dissidents, and dissidents.”
The researchers went on to index the frameworks, which they received from an anonymous source through Google’s Chrome error reporting program. Each one comes with instructions and an archive containing the source code. The frameworks came under the names Heliconia Noise, Heliconia Soft, and Files. The frameworks contained “mature source code capable of deploying exploits for Chrome, Windows Defender, and Firefox” respectively.
Included with the Heliconia Noise framework is code to clean up binary files before they are produced by the framework to ensure that they do not contain strings that could incriminate developers. As the cleanup script image shows, the list of bad strings included “Variston”.
Variston officials did not respond to an email seeking comment for this post.
The frameworks exploited vulnerabilities that were fixed by Google, Microsoft, and Firefox in 2021 and 2022. Heliconia Noise included an exploit for the Chrome renderer, along with an exploit to escape Chrome’s security sandbox, which was designed to keep untrusted code contained in a protected file Environment that cannot access sensitive parts of the operating system. Because the vulnerabilities are discovered internally, there are no CVE labels.
The customer can configure Heliconia Noise to set things like a maximum number of times to serve exploits, an expiration date, and rules that specify when a visitor should be considered a valid target.
File framework contained a fully documented exploit chain for Firefox running on Windows and Linux. It exploits CVE-2022-26485, a post-use vulnerability that was fixed by Firefox last March. The researchers said the files likely exploited the code execution vulnerability since at least 2019, long before it was publicly announced or patched. It worked against Firefox versions 64 to 68. Unprotected dependencies were fixed in 2019.
The researchers painted a picture of an increasingly out-of-control exploit market. They wrote:
TAG’s research shows the prevalence of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities previously only available to governments with large pockets and technical expertise. The growth of the spyware industry puts users at risk and makes the Internet less secure, and while surveillance technology may be legal under national or international laws, it is often used in malicious ways to conduct digital espionage against a range of groups. These breaches represent a serious risk to online security, which is why Google and TAG will continue to take action against the commercial spyware industry and publish research on it.
Variston joins the ranks of other exploit vendors, including NSO Group, Hacking Team, Accuvant, and Candiru.
#Chrome #Defender #Firefox #linked #commercial #company #Spain