A Spanish company that offers “tailor made Information Security Solutions” may have exploited vulnerabilities in Chrome, Firefox and the Microsoft Defender antivirus program to deploy spyware, researchers with Google’s Threat Analysis Group said Wednesday.
The company’s apparent exploitation framework called “Heliconia” provided “all the tools necessary to deploy a payload to a target device,” the researchers said. And although the team has not detected active exploitation, researchers added “it appears likely these were utilized as zero-days in the wild.”
A script within the code that Google examined referred to Variston IT, a Barcelona company that offers “Custom Security” solutions and tools that support “the discovery of digital information by [law enforcement agencies],” among other services.
Google, Microsoft and Mozilla fixed the relevant vulnerabilities in 2021 and early 2022, researchers said.
The revelations land as the White House prepares to deploy policy initiatives, including an executive order, that would limit the U.S. government’s ability to use commercial spyware, CyberScoop’s Tonya Riley reported Nov. 18.
The proposal may leave wiggle room for the U.S. government to use spyware, Riley reported, but “the measure would entail the latest effort by the Biden administration to address the privacy risks posed by highly intrusive software used by law enforcement and intelligence agencies around the world.”
Heliconia was discovered when an anonymous party submitted three vulnerabilities to the Chrome bug reporting program, each with instructions and an archive that contained source code. The bug reports contained three unique names: “Heliconia Noise,” “Heliconia Soft,” and “Files.”
An analysis of the submissions revealed the frameworks capable of deploying exploits in the wild and also a script within the source code that checked whether binaries contained sensitive strings including “variston,” the company name, as well as the project or developer names, the researchers said.
Variston did not immediately respond to a request for comment Wednesday.
Publishing details of the framework and the relevant vulnerabilities is part of Google’s ongoing effort to expose and push back against commercial spyware vendors, the researchers said.
“TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise,” the researchers wrote. “The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups.”
In June the same team at Google exposed the activities of an Italian spyware firm called RCS Labs that was working with unnamed internet service providers to install malicious apps on targets’ phones in Italy and Kazakhstan.
Eight Chrome zero-days have been resolved this year, with the most recent being announced on Thanksgiving, Security Week reported Nov. 28. Earlier this summer, Google Project Zero’s Maddie Stone reported that as of June 15, 18 zero-days had been detected and exploited in the wild in 2022. In 2021, 58 in-the-wild exploits were detected and disclosed, Stone reported in April, the most ever recorded since Project Zero began its tracking efforts in mid-2014, likely due to better detection abilities.
Corrected Nov. 30, 2022: This story has been corrected to update the timing of reporting on an anticipated executive order to limit the U.S. government’s use of spyware. CyberScoop was not the first publication to cover the expected White House ban.