Spyware Vendor’s Heliconia Framework Exploits Browser Vulnerabilities – Security Boulevard

Posted under Programming, Technology On By James Steward

The Home of the Security Bloggers Network
Home » Security Boulevard (Original) » Spyware Vendor’s Heliconia Framework Exploits Browser Vulnerabilities
A company in Barcelona that purports to offer custom security solutions is tied to exploitation frameworks that can deploy spyware.
Variston IT’s “Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device. Google, Microsoft and Mozilla fixed the affected vulnerabilities in 2021 and early 2022,” the Google Threat Analysis Group (TAG) wrote in a blog post. “While we have not detected active exploitation, based on the research below, it appears likely these were utilized as zero-days in the wild.”
As a result of these findings, “TAG has created detections in Safe Browsing to warn users when they attempt to navigate to dangerous sites or download dangerous files,” the post noted. “To ensure full protection against Heliconia and other exploits, it’s essential to keep Chrome and other software fully up-to-date.”
TAG first became aware of the framework after someone anonymously made a submission to the Google Chrome bug reporting program. “The submitter filed three bugs, each with instructions and an archive that contained source code. They used unique names in the bug reports including, ‘Heliconia Noise,’ ‘Heliconia Soft’ and ‘Files,’” the researchers wrote. “TAG analyzed the submissions and found they contained frameworks for deploying exploits in the wild and a script in the source code included clues pointing to the possible developer of the exploitation frameworks, Variston IT.”
The three exploitation frameworks “included mature source code capable of deploying exploits for Chrome, Windows Defender and Firefox,” and have since been patched. Nevertheless, “it is likely the exploits were used as zero-days before they were fixed,” TAG wrote.
Researchers described the frameworks as such:
Heliconia Noise “is a web framework for deploying a Chrome renderer exploit, followed by a Chrome sandbox escape and agent installation. A manifest file in the source code provides a product description. The Chrome renderer exploit supports Chrome versions 90.0.4430.72 (April 2021) to 91.0.4472.106 (June 2021). It takes advantage of a V8 deoptimizer bug fixed in August 2021. As is currently normal for internally found Chrome bugs, no CVE was assigned.”
Heliconia Soft “is a web framework that deploys a PDF containing a Windows Defender exploit. It exploits CVE-2021-42298, a bug in the JavaScript engine of Microsoft Defender Malware Protection that was fixed in November 2021. The exploit achieves SYSTEM privileges with a single vulnerability and the only action required by the user is to download a PDF, which triggers a scan by Windows Defender.”
Heliconia Files “contained a fully documented Firefox exploit chain for Windows and Linux. For remote code execution, it exploits CVE-2022-26485, a use-after-free vulnerability in the XSLT processor that was reported in March 2022 as being exploited in the wild. TAG assesses that the Heliconia Files package likely exploited this RCE vulnerability since at least 2019, well before the bug was publicly known and patched. The Heliconia exploit is effective against Firefox versions 64 to 68, suggesting it may have been used as early as December 2018 when version 64 was first released. Additionally, when Mozilla patched the vulnerability, the exploit code in their bug report shared striking similarities with the Heliconia exploit, including the same variable names and markers. These overlaps suggest the exploit author is the same for both the Heliconia exploit and the sample exploit code Mozilla shared when they patched the bug.”
Noting that “commercial spyware vendors can be problematic,” Mike Parkin, senior technical engineer at Vulcan Cyber, explained, “They can operate in something of a gray area of the law, where their official clients are agencies that may not be subject to common privacy laws. Police and State level Intelligence agencies, for example, are often allowed exceptions that let them use the tools commercial spyware vendors provide.” But the intent is not all bad, nor are the vendors without usefulness.
“While the legality and ethics of these vendors is debatable, they do provide a service that legitimate agencies may require to fulfill their mandates,” said Parkin. “The challenge is when these vendors are not careful about who they sell their services to or when their products damage the targets. While most people wouldn’t be too concerned if a known criminal were impacted, they are often used against people and organizations where these tools are not necessarily appropriate.”
From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.
teri-robinson has 144 posts and counting.See all posts by teri-robinson
More Webinars
Security Boulevard Logo White
DMCA

source

Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.