Google on Wednesday shared the details of newly-exposed exploitation frameworks capable of deploying spyware to targeted devices. Dubbed the “Heliconia” exploits, they appear to have ties to the Spanish company Variston IT, according to Google Threat Analysis Group (TAG).
Heliconia targets n-day vulnerabilities, meaning that there are already patches available for the vulnerabilities. The new frameworks go after vulnerabilities previously found in Chrome, Firefox and Microsoft Defender. All of the vulnerabilities were addressed in 2021 and early 2022. However, Google’s research suggests these exploits were used as zero-days — in other words, before the vulnerabilities were spotted.
To ensure you’re protected against Heliconia and other exploits, it’s important to keep all of your software updated.
The new exploits are the latest to underscore the growth of the commercial spyware industry, Google noted.
“TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise,” Google TAG’s Clement Lecigne and Benoit Sevens wrote in a blog post. “The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups.”
Google learned about the Heliconia framework from an anonymous submission to its Chrome bug reporting program. Three bugs were detailed: “Heliconia Noise” is a web framework for deploying an exploit for a Chrome renderer bug, followed by a sandbox escape. “Heliconia Soft” is a web framework that deploys a PDF containing a Windows Defender exploit. Lastly, the bug report named “Files” contained a fully documented Firefox exploit chain for Windows and Linux.