430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Google links three exploitation frameworks to Spanish commercial spyware vendor Variston

Google’s Threat Analysis Group (TAG) linked three exploitation frameworks to a Spanish surveillance spyware vendor named Variston. While tracking the activities of commercial spyware vendors, Threat Analysis Group (TAG) spotted an exploitation framework likely linked Variston IT, a Spanish firm. Officially, Variston claims to provide custom security solutions and custom patches for embedded system. The […]

Secret Service seizes a covert communications network near U.N. composed of sophisticated equipment, including 100K SIMs and 300 servers

Google’s Threat Analysis Group (TAG) linked three exploitation frameworks to a Spanish surveillance spyware vendor named Variston.

While tracking the activities of commercial spyware vendors, Threat Analysis Group (TAG) spotted an exploitation framework likely linked Variston IT, a Spanish firm.

Officially, Variston claims to provide custom security solutions and custom patches for embedded system.

The experts reported that the framework includes exploits for n-day vulnerabilities in Chrome, Firefox and Microsoft Defender, the company also provides a collection of tools to deploy a malicious payload to a target device.

The vulnerabilities in Google, Microsoft and Mozilla exploited by the company were fixed in 2021 and early 2022. TAG’s research suggests that the above issues were utilized as zero-days in the wild by the surveillance vendor.

TAG discovered the Heliconia framework after receiving an anonymous submission to the Chrome bug reporting program.

The submitter reported three different exploitation frameworks, instructions, and an archive that contained source code. Their names in the bug reports are “Heliconia Noise,” “Heliconia Soft” and “Files.” The researchers noticed a script in the source code that includes clues pointing to the possible developer of the exploitation frameworks, Variston IT.

“Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0-days before they were fixed.” reads the analysis published by Google.

  • Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape
  • Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit
  • Files: a set of Firefox exploits for Linux and Windows.

The Heliconia Noise web framework is used to deploy a Chrome renderer exploit, followed by a Chrome sandbox escape and agent installation. The Chrome renderer exploit supports Chrome versions 90.0.4430.72 (April 2021) to 91.0.4472.106 (June 2021) and trigger a V8 deoptimizer issue fixed in August 2021.

The Heliconia Soft web framework exploits the CVE-2021-42298 remote code execution vulnerability in Microsoft Defender that was fixed on November 2021. The exploit is triggered when the victim downloads a specially crafted PDF file, which is scanned by Windows Defender.

Heliconia Files framework delivers a Firefox exploit chain for Windows and Linux. It leverages CVE-2022-26485 remote code execution in Firefox, the bug was addressed by Mozilla in March 2022.

“TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise. The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups.” TAG concludes. “These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Variston)

[adrotate banner=”5″]

[adrotate banner=”13″]