A Spanish company called Variston IT has pretended to be a provider of custom security solutions while using their Heliconia framework to exploit n-day vulnerabilities in Chrome, Firefox and Microsoft Defender, providing tools necessary to deploy a payload to a target device.
The claims come from Google’s Threat Analysis Group (TAG), which published an advisory about the threat on Wednesday, saying the affected vulnerabilities were from 2021 and early 2022 and have since been patched by the three companies.
“While we have not detected active exploitation, based on the research below, it appears likely these were utilized as zero-days in the wild,” the tech giant wrote.
“TAG has created detections in Safe Browsing to warn users when they attempt to navigate to dangerous sites or download dangerous files. To ensure full protection against Heliconia and other exploits, it’s essential to keep Chrome and other software fully up-to-date.”
According to Chris Clements, VP of solutions architecture at cybersecurity company Cerberus Sentinel, this type of spyware highlights a particular trend.
“Commercial spyware vendors operate in a space that in any other context is indistinguishable from cybercrime,” Clements told Infosecurity.
“The exploits they develop and surveillance functions of their products are indeed, by definition, malware. These organizations often shield themselves from legal consequences by claiming to only sell their tools for ethical use by governments and law enforcement; however, these claims have been repeatedly found to be untrue for some spyware vendors.”
Clements further sustained that the only difference between these organizations and Ransomware as a Service (RaaS) vendors on the dark web are their target customers and the level of polish put into their product.
“Unfortunately, there is often little oversight in ensuring that these companies adhere to their stated ethical standards in who they sell to and whom their customers target with their products,” the executive explained.
“Because these products are professionally developed for the commercial market, they are often as user friendly as they are devastatingly effective in compromising their targets by employing zero-day or near zero-day exploits that have little or no defense.”
To prevent attacks like this, Clements suggested companies keep devices and software as up-to-date as possible with security patches.
“If a person is worried about being targeted, employ the use of emerging solutions like Apple’s recently introduced ‘lockdown mode’ to limit your exposure at the expense of some conveniences and functionality.”