Browser Zero Days Linked To Commercial IT Firm In Spain

The word ZERO-DAY is hidden amidst a screen filled with ones and zeroes.

Google researchers said on Wednesday they have linked a Barcelona, Spain-based IT company to the sale of advanced software frameworks that exploit vulnerabilities in Chrome, Firefox, and Windows Defender.

Variston IT bills itself as a provider of tailor-made information security solutions, including: technology for embedded SCADA (supervisory control and data acquisition) and Internet of Things integrators; custom security patches for proprietary systems; tools for data discovery; security training; and the development of secure protocols for embedded devices. According to a report from Google’s Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to surreptitiously install malware on devices they want to spy on.

Researchers Clement Lecigne and Benoit Sevens said the exploit frameworks were used to exploit n-day vulnerabilities, which are those that have been patched recently enough that some targets haven’t yet installed them. Evidence suggests, they added, that the frameworks were also used when the vulnerabilities were zero-days. The researchers are disclosing their findings in an attempt to disrupt the market for spyware, which they said is booming and poses a threat to various groups.

“TAG’s research underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe,” they wrote. “Commercial spyware puts advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition, and dissidents.”

The researchers went on to catalog the frameworks, which they received from an anonymous source through Google’s Chrome bug reporting program. Each one came with instructions and an archive containing the source code. The frameworks came with the names Heliconia Noise, Heliconia Soft, and Files. The frameworks contained “mature source code capable of deploying exploits for Chrome, Windows Defender, and Firefox,” respectively.

Included in the Heliconia Noise framework was code for cleaning up binary files before they are produced by the framework to ensure they don’t contain strings that could incriminate the developers. As the image of the cleaning script shows, the list of bad strings included “Variston.”

Officials from Variston didn’t respond to an email seeking comment for this post.

The frameworks exploited vulnerabilities that Google, Microsoft, and Firefox fixed in 2021 and 2022. Heliconia Noise included both an exploit for the Chrome renderer and an exploit for escaping the Chrome security sandbox, which is designed to keep untrusted code contained in a protected environment that can’t access sensitive parts of an operating system. Because the vulnerabilities were discovered internally, there are no CVE designations.

Heliconia Noise could be configured by the customer to set things like the maximum number of times to serve the exploits, an expiration date, and rules specifying when a visitor should be considered a valid target.

Heliconia Soft included a booby-trapped PDF file that exploited CVE-2021-42298, a bug in the JavaScript engine of Microsoft Defender Malware Protection that was fixed in November 2021. Simply sending someone the document was enough to gain coveted system privileges on Windows because Windows Defender automatically scanned incoming files.

The Files framework contained a fully documented exploit chain for Firefox running on Windows and Linux. It exploits CVE-2022-26485, a use-after-free vulnerability that Firefox fixed last March. The researchers said Files likely exploited the code-execution vulnerability since at least 2019, long before it was publicly known or patched. It worked against Firefox versions 64 to 68. The sandbox escape Files relied on was fixed in 2019.

The researchers painted a picture of an exploit market that’s increasingly out of control. They wrote:

TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise. The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry.

Variston joins the ranks of other exploit sellers, including NSO Group, Hacking Team, Accuvant, and Candiru.