Heliconia Exploit Framework In the Wild

Read Time:1 Minute, 36 Second

FortiGuard Labs is aware of a report that a new exploit framework dubbed “Heliconia” was discovered. Heliconia consists of three components that are designed to exploit vulnerabilities in Chrome, Firefox and Windows Defender to deliver payloads. According to outside reports, the exploit framework may have connection with a commercial spyware vendor.Why is this Significant?This is significant because the new exploit framework “Heliconia” is designed to exploit security holes in Chrome, Firefox and Windows Defender and deliver payloads. Google’s Threat Analysis Group (TAG) believes “Heliconia” may have connection with a commercial security solution vendor and the vulnerabilities may have been exploited as a 0-day.What Components are in the Three Components of Heliconia?Heliconia consists of the following three components:Heliconia Noise is designed to exploit a renderer vulnerability in Chrome. It also references a remotely hosted sandbox escape shellcode and installs an agent. While a CVE number has not been assigned to the renderer vulnerability, Google states that the vulnerability affects Chrome version 90.0.4430.72 to 91.0.4472.106 and was patched in August 2021.Heliconia Soft is designed to serve a PDF file containing an exploit for a Windows Defender vulnerability (CVE-2021-42298).Heliconia Files is designed to exploit vulnerabilities in both Windows and Linux versions of Firefox in chain. It first exploits CVE-2022-26485, followed by an unnamed sandbox escape and payload delivery.Have the Vendors Released a Patch for the Vulnerabilities?Patches are available for the reported vulnerabilities.How Widespread is this?While we do not know how widespread this is, CVE-2022-26485 was reportedly exploited by the Heliconia exploit framework as early as 2019. What is the Status of Protection?FortiGuard Labs provides the following IPS signature for CVE-2021-42298:MS.Defender.MpEngine.Remote.Code.ExecutionFortiGuard Labs is currently investigating CVE-2022-26485 for coverage. This Threat Signal will be updated when protection becomes available.

CISA’s 2024 Review Highlights Major Efforts in Cybersecurity Industry Collaboration

Casino Players Using Hidden Cameras for Cheating

Friday Squid Blogging: Squid on Pizza

Scams Based on Fake Google Emails

Infostealers Dominate as Lumma Stealer Detections Soar by Almost 400%

The AI Fix #30: ChatGPT reveals the devastating truth about Santa (Merry Christmas!)

US and Japan Blame North Korea for $308m Crypto Heist

Spyware Maker NSO Group Found Liable for Hacking WhatsApp

Spyware Maker NSO Group Liable for WhatsApp User Hacks

Heliconia Exploit Framework In the Wild

icecat-flatpak-115.18.0-2

mupdf-1.24.6-2.fc40

mupdf-1.21.1-6.el9

DSA-5837-1 fastnetmon – security update

DSA-5836-1 xen – security update

DSA-5835-1 webkit2gtk – security update