A spyware vendor was found exploiting zero-day and N-day vulnerabilities against popular platforms, reported Google’s Threat Analysis Group (TAG).
As per the report, it is possible that the actors responsible for the one of the discovered exploit chains are either customers or partners of the spyware vendor Variston from Spain, or have a close working relationship with them.
The report identifies several popular platforms that have been targeted by the spyware vendors, including Android, iOS, Windows, and macOS.
These platforms are used by billions of people worldwide, making them an attractive target for cyber criminals.
According to the report, spyware vendors are using zero-day vulnerabilities, which are previously unknown software vulnerabilities, to infiltrate targeted systems. This allows them to evade detection and carry out their nefarious activities.
In addition, the spyware vendors are also using N-day vulnerabilities, which are previously known but unpatched software vulnerabilities, to target systems that have not yet been updated with the latest security patches.
“The 0-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices,” said the report.
“Our findings underscore the extent to which commercial spyware vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits.”
Spyware vendors, campaigns, and the Spanish connection
Based on the analysis conducted by TAG, it is possible that those behind one of the exploit chains discovered are either customers or partners of the Spanish spyware vendor Variston or have a close working relationship with them.
TAG found a campaign in December 2022, where a complete exploit chain was found targeting the latest version of Samsung Internet Browser in December 2022.
The chain included multiple zero-days and n-days and was delivered via one-time links sent through SMS to devices in the United Arab Emirates (UAE).
“The link directed users to a landing page identical to the one TAG examined in the Heliconia framework developed by commercial spyware vendor Variston,” said the report.
“The actor using the exploit chain to target UAE users may be a customer or partner of Variston, or otherwise working closely with the spyware vendor.”
In another campaign found in November 2022, TAG found exploit chains with zero-day vulnerabilities that affected Android and iOS operating systems.
The exploit chains were delivered via bit.ly links sent over SMS to users in Italy, Malaysia, and Kazakhstan.
When clicked, the links redirected users to pages hosting exploits for either Android or iOS and then redirected them to legitimate websites.
The iOS exploit chain targeted versions prior to 15.1 and contained the following exploits, including one 0-day: CVE-2022-42856, a WebKit remote code execution exploiting a type confusion issue within the JIT compiler.
The exact same technique was used in Cytrox exploits as described by Citizenlab in their blog about Predator. CVE-2021-30900, a sandbox escape and privilege escalation bug in AGXAccelerator, fixed by Apple in 15.1.
Variston, the Spanish spyware vendor
Variston, the spyware vendor based in Spain, has been in the cybersecurity news recently for the wrong reasons.
“Variston IT, a company in Barcelona, Spain that claims to be a provider of custom security solutions,” ” said a TAG report published in November 2022.
Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device.”
In the report, TAG revealed that a threat actor was selling spyware designed to exploit n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender.
According to reports, the threat actor used Heliconia, an exploitation framework, to remotely install the spyware on the victims’ devices while posing as a legitimate cybersecurity solutions provider.
The campaign was brought to Google’s attention by an anonymous user who submitted it to the Chrome bug reporting program.
The report alerted Google to the activities of spyware vendors. Heliconia’s exploitation framework can run three different exploitation frameworks, making it more sophisticated than ordinary spyware.