Google warns of commercial Heliconia spyware hitting Chrome, Firefox, Microsoft Defender
Meanwhile NSO faces new lawsuit over Pegasus flying onto journalists' phones
Google's Threat Analysis Group (TAG) said on Wednesday that its researchers discovered commercial spyware called Heliconia that's designed to exploit vulnerabilities in Chrome and Firefox browsers as well as Microsoft Defender security software.
Google's researchers said they became aware of the framework after an anonymous Chrome bug report that included instructions and source code with the names "Heliconia Noise," "Heliconia Soft" and "Files."
Their analysis of the bug submissions showed that they contained tools for delivering exploit code and included references to a possible developer of the frameworks, Variston IT, a security firm based in Barcelona, Spain. Variston IT did not immediately respond to a request for comment.
- We're likely only seeing 'the tip of the iceberg' of Pegasus spyware use against the US
- Uncle Sam to clip wings of Pegasus-like spyware – sorry, 'intrusion software' – with proposed export controls
- Koch-funded group sues US state agency for installing 'spyware' on 1m Android devices
- 'Fully undetectable' Windows backdoor gets detected
The three components perform the following functions: Heliconia Noise is a web framework for deploying an exploit for a Chrome renderer bug (now fixed) followed by a sandbox escape; Heliconia Soft is a web framework that deploys a PDF containing a Windows Defender exploit; and Files is a set of Firefox exploits for Linux and Windows.
According to TAG, Google, Microsoft, and Mozilla fixed the vulnerabilities being targeted in 2021 and early 2022, so provided you're patched safety should be assured. TAG has also added a Heliconia detection mechanism to Google's Safe Browsing service and urges internet users to keep their browsers and software up to date as a defense against exploits.
"TAG’s research underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe," said Clement Lecigne and Benoit Sevens, in a blog post. "Commercial spyware puts advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents."
Chris Clements, VP of solutions architecture at cybersecurity biz Cerberus Sentinel, told The Register that commercial spyware is simply spyware that companies try to make acceptable by claiming that they sell only to governments – as if spying on citizens needs no justification.
"Commercial spyware vendors operate in a space that in any other context is indistinguishable from cybercrime," said Clements. "The exploits they develop and surveillance functions of their products are indeed by definition malware."
"These organizations often shield themselves from legal consequences by claiming to only sell their tools for ethical use by governments and law enforcement; however these claims have been repeatedly found to be untrue for some spyware vendors."
Clements said, in his opinion, that the only difference between commercial spyware makers and sellers of ransomware-as-a-service or initial access brokers on the dark web is their target customer base and the level of polish of their product.
And while we're talking spyware...
The NSO Group, possibly the most widely known commercial spyware vendor for its Pegasus software, was sued on Wednesday by the Knight Institute at Columbia University, acting on behalf of 15 journalists and other members of El Salvador-based news organization El Faro.
The complaint alleges that NSO Group and its parent company, Q Cyber Technologies, violated US law by helping to deploy Pegasus spyware to remotely access journalists' iPhones.
NSO Group was previously sued by Facebook and its WhatsApp subsidiary based on claims Pegasus was used to compromise WhatsApp on users' phones. NSO Group's attempts to have that claim dismissed based on its assertion that the immunity of foreign states from prosecution gets inherited by their non-governmental vendors has so far been rejected in US courts.
The company now waits to see whether the US Supreme Court will consider its appeal, which last month asked the US government to weigh in.
In an amicus brief [PDF] advising the Supreme Court not to hear NSO Group's case, the US Solicitor General said while the US Government was not prepared to seek a categorical decision that would preclude any such immunity claim in the future, "NSO plainly is not entitled to immunity here." ®