FortiGuard Labs is aware of a report that a new exploit framework dubbed “Heliconia” was discovered. Heliconia consists of three components that are designed to exploit vulnerabilities in Chrome, Firefox and Windows Defender to deliver payloads. According to outside reports, the exploit framework may have connection with a commercial spyware vendor.Why is this Significant?This is significant because the new exploit framework “Heliconia” is designed to exploit security holes in Chrome, Firefox and Windows Defender and deliver payloads. Google’s Threat Analysis Group (TAG) believes “Heliconia” may have connection with a commercial security solution vendor and the vulnerabilities may have been exploited as a 0-day.What Components are in the Three Components of Heliconia?Heliconia consists of the following three components:Heliconia Noise is designed to exploit a renderer vulnerability in Chrome. It also references a remotely hosted sandbox escape shellcode and installs an agent. While a CVE number has not been assigned to the renderer vulnerability, Google states that the vulnerability affects Chrome version 90.0.4430.72 to 91.0.4472.106 and was patched in August 2021.Heliconia Soft is designed to serve a PDF file containing an exploit for a Windows Defender vulnerability (CVE-2021-42298).Heliconia Files is designed to exploit vulnerabilities in both Windows and Linux versions of Firefox in chain. It first exploits CVE-2022-26485, followed by an unnamed sandbox escape and payload delivery.Have the Vendors Released a Patch for the Vulnerabilities?Patches are available for the reported vulnerabilities.How Widespread is this?While we do not know how widespread this is, CVE-2022-26485 was reportedly exploited by the Heliconia exploit framework as early as 2019. What is the Status of Protection?FortiGuard Labs provides the following IPS signature for CVE-2021-42298:MS.Defender.MpEngine.Remote.Code.ExecutionFortiGuard Labs is currently investigating CVE-2022-26485 for coverage. This Threat Signal will be updated when protection becomes available.
More Stories
stalld-1.19.2-1.fc40
FEDORA-2024-d198253c42 Packages in this update: stalld-1.19.2-1.fc40 Update description: address issues found in Static Application Security testing Fix a service startup...
stalld-1.19.2-1.fc39
FEDORA-2024-9205c35b11 Packages in this update: stalld-1.19.2-1.fc39 Update description: address issues found in Static Application Security testing Fix a service startup...
stalld-1.19.2-1.fc38
FEDORA-2024-a047b1ca2d Packages in this update: stalld-1.19.2-1.fc38 Update description: address issues found in Static Application Security testing Fix a service startup...
USN-6743-3: Linux kernel (Azure) vulnerabilities
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This...
ArcaneDoor Attack (CVE-2024-20353 and CVE-2024-20359)
What is the Attack? Cisco issued an advisory on 24th April, regarding its Adaptive Security Appliances, multifunctional devices combining firewall,...
USN-6657-2: Dnsmasq vulnerabilities
USN-6657-1 fixed several vulnerabilities in Dnsmasq. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS....