TAG (Threat Analysis Group), a specialized security team within Google, has been diligently tracking the activities of commercial spyware vendors for several years. Their ongoing research aims to enhance the safety and security of Google’s products while also sharing valuable intelligence with industry peers. Recent findings from TAG’s investigations shed light on the thriving commercial surveillance industry, which has seen significant expansion in recent times, thereby posing risks to internet users worldwide.
One notable discovery made by TAG involves an exploitation framework known as Heliconia, which has been linked to Variston IT, a company based in Barcelona, Spain. Variston IT claims to offer customized security solutions. The Heliconia framework, identified by TAG’s research, capitalizes on n-day vulnerabilities present in popular software applications such as Chrome, Firefox, and Microsoft Defender. It provides a comprehensive suite of tools necessary for deploying a payload onto a target device. Fortunately, Google, Microsoft, and Mozilla promptly addressed the vulnerabilities, and the affected software versions were patched in 2021 and early 2022.
TAG’s awareness of the Heliconia framework stemmed from an anonymous submission to Google’s Chrome bug reporting program. The submitter filed three separate bug reports, each accompanied by detailed instructions and an archive containing source code. Interestingly, the submitter employed unique names in the bug reports, namely “Heliconia Noise,” “Heliconia Soft,” and “Files.” TAG conducted a thorough analysis of these submissions and discovered that they contained frameworks specifically designed for deploying exploits in real-world scenarios. Moreover, a script within the source code provided vital clues suggesting that Variston IT might be the likely developer behind these exploitation frameworks.
The exploitation frameworks discovered by TAG encompassed mature source code capable of deploying exploits targeting Chrome, Windows Defender, and Firefox. Although the vulnerabilities have since been patched by the respective software vendors, TAG assesses that it is highly probable these exploits were utilized as zero-day vulnerabilities before their official fixes were implemented.
Specifically, the Heliconia Noise framework pertained to a web-based platform designed to exploit a Chrome renderer bug, subsequently facilitating a sandbox escape. Heliconia Soft, on the other hand, was a web framework enabling the deployment of a PDF containing a Windows Defender exploit. Lastly, the Files framework comprised a collection of Firefox exploits targeting both Linux and Windows operating systems.
The revelations made by TAG underscore the persistent threats posed by the commercial surveillance industry and its ability to exploit security vulnerabilities for their own gain. TAG’s efforts to track, analyze, and share intelligence regarding such activities play a vital role in safeguarding internet users and aiding the continued development of robust security measures by industry leaders.
The collaboration between TAG and prominent technology companies like Google, Microsoft, and Mozilla demonstrates the importance of proactive threat analysis, prompt vulnerability patching, and the collective responsibility of the industry to protect users from potential harm. By continuously monitoring and investigating the activities of commercial spyware vendors, TAG reinforces the commitment to securing the digital landscape and ensuring the privacy and safety of users worldwide.