The list of companies that provide cybersecurity solutions that simultaneously develop exploit programs does not end. After the recent cases, some more media than others, of NSO Group, Hacking Team, Candiru and Accuvant, the Spanish company joins variston which has just been flagged by Google.
According to the technology giant, this Barcelona-based company hides a service that it does not describe on its website. What if security patches, custom security tools, development of protocols for embedded devices, technology for SCADA integrators… but, of course, none of the software frameworks that help those who need them to install malware on a device with the aim of spying on him.
These file frames contained a chain of exploits. Programs designed to take advantage of a specific vulnerability in a system. To do this, those who prepare them must first analyze the computer system they want to attack. Then, observe if there are vulnerabilities in the characteristics of the investigated system and that can be found in various parts of the structure of a web application, an operating system or any other software. And finally make use of these exploits, to gain access to the operating system console, install malware or unleash a chain of code executions on the device.
According to the Google Threat Analysis Group report, these frameworks were specifically used to exploit n-day vulnerabilities, that is, a type of vulnerability that has just been discovered and that still does not have a patch to fix it. “The research underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risks for Internet users around the world (…) commercial spyware (also) puts advanced surveillance capabilities in the hands of of governments that use them to spy on journalists, human rights activists, political opposition and dissidents,” said the report.
Chronology of events
All this happened, at least, between 2021 and 2022, but how did it reach the ears of Google? Through an anonymous source and through Google’s Chrome bug reporting program. In this case, it came with instructions and a file containing the source code. Furthermore, the frameworks came with the names Heliconia Noise, Heliconia Soft, and Files and the frameworks contained “mature source code capable of implementing exploits for Chrome, Windows Defender, and Firefox,” respectively.
Included in the Heliconia Noise framework, was also a code to clean up binary files before they are produced by the framework to ensure they do not contain strings that could incriminate Variston developers.
The frameworks exploited vulnerabilities that Google, Microsoft, and Firefox eventually patched. For example, Heliconia Noise included an exploit for the Chrome renderer, along with an exploit to escape the Chrome security sandbox, which is designed to keep untrusted code contained in a protected environment that it cannot access sensitive parts of an operating system.
For its part, Heliconia Soft included a PDF file that exploited CVE-2021-42298, a bug in the Microsoft Defender Malware Protection JavaScript engine, which could be fixed in November 2021. Just sending someone said pdf could get you the coveted system privileges in Windows as Windows Defender automatically scanned incoming files.
It also exploited CVE-2022-26485, a post-free use vulnerability that Firefox fixed in March of this year. Although the researchers suspect that the vulnerabilities may have been affected as early as 2019.
According to the Google Threat Analysis Group, the growth of the spyware industry puts users at risk and makes the internet less secure. However, the situation is confident if those who are behind these actions are cybersecurity companies that sell services and products that go against the very nature of the company.
