Windows, Chrome and Firefox zero-days exploited to spread malware

Zero-day attack
(Image credit: Shutterstock.com)

Cybersecurity researchers from Google’s Threat Analysis Group (TAG) are saying that a commercial company from Spain developed an exploitation network for Windows, Chrome, and Firefox, and likely sold it to government entities sometime in the past.

In a blog post published earlier this week, the TAG team says that a Barcelona-based company called Variston IT is likely tied to the Heliconia framework, which exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. It also says the company likely provided all the tools needed to deploy a payload to a target endpoint.

No active exploitations

All the affected companies had fixed the vulnerabilities that were exploited through the Heliconia framework in 2021 and early 2022, and given that TAG did not find any active exploitations, the framework was most likely used on zero-days. Still, to fully protect against Heliconia, TAG suggests all users to keep their software up to date.

Google was first alerted to Heliconia via an anonymous submission to the Chrome bug reporting program. Whoever filed the submission added three bugs, each with instructions and an archive with the source code. They were named “Heliconia Noise”, “Heliconia Soft”, and “Files”. Further analysis has shown that they contained “frameworks for deploying exploits in the wild” and that the source code pointed to Variston IT.

Heliconia Noise is described as a framework for deploying an exploit for a Chrome renderer bug, followed by a sandbox escape. Heliconia Soft, on the other hand, is a web framework that deploys a PDF containing an exploit for Windows Defender, while Files is a set of Firefox exploits found on both Windows and Linux.

Given the fact that the Heliconia exploit works on Firefox versions 64 - 68, it was likely in use in late 2018, Google suggests.

Speaking to TechCrunch, Variston IT director Ralf Wegner said the company wasn’t aware of Google’s research and couldn’t validate the findings, but added that he’d be “surprised if such item was found in the wild.”

Commercial spyware is a growing industry, Google says, adding that it won’t stand idly as these entities sell vulnerability exploits to governments who later use it to target political opponents, journalists, human rights activists, and dissidents. 

Perhaps the most famous example is the Israeli-based NSO Group and its Pegasus spyware, which landed the company on the United States’ blacklist.

Via: TechCrunch

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Avast cybersecurity
An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
Spyware
Government-linked Italian spyware maker caught distributing malicious Android apps
Trojan
WhatsApp patches security flaw which let hackers install spyware
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Chrome icon on Android
Google Chrome extensions hack may have started much earlier than expected
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
Latest in Security
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
Latest in News
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations