DISORDER IN THE COURT — Crooks plant backdoor in software used by courtrooms around the world It’s unclear how the malicious version of JAVS Viewer came to be.
Dan Goodin – May 23, 2024 10:46 pm UTC EnlargeJAVS reader comments 16
A software maker serving more than 10,000 courtrooms throughout the world hosted an application update containing a hidden backdoor that maintained persistent communication with a malicious website, researchers reported Thursday, in the latest episode of a supply-chain attack.
The software, known as the JAVS Viewer 8, is a component of the JAVS Suite 8, an application package courtrooms use to record, play back, and manage audio and video from proceedings. Its maker, Louisville, Kentucky-based Justice AV Solutions, says its products are used in more than 10,000 courtrooms throughout the US and 11 other countries. The company has been in business for 35 years. JAVS Viewer users at high risk
Researchers from security firm Rapid7 reported that a version of the JAVS Viewer 8 available for download on javs.com contained a backdoor that gave an unknown threat actor persistent access to infected devices. The malicious download, planted inside an executable file that installs the JAVS Viewer version 8.3.7, was available no later than April 1, when a post on X (formerly Twitter) reported it. Its unclear when the backdoored version was removed from the companys download page. JAVS representatives didnt immediately respond to questions sent by email.
Users who have version 8.3.7 of the JAVS Viewer executable installed are at high risk and should take immediate action, Rapid7 researchers Ipek Solak, Thomas Elkins, Evan McCann, Matthew Smith, Jake McMahon, Tyler McGraw, Ryan Emmons, Stephen Fewer, and John Fenninger wrote. This version contains a backdoored installer that allows attackers to gain full control of affected systems.
The installer file was titled JAVS Viewer Setup 8.3.7.250-1.exe. When executed, it copied the binary file fffmpeg.exe to the file path C:Program Files (x86)JAVSViewer 8. To bypass security warnings, the installer was digitally signed, but with a signature issued to an entity called Vanguard Tech Limited rather than to Justice AV Solutions Inc., the signing entity used to authenticate legitimate JAVS software.
fffmpeg.exe, in turn, used Windows Sockets and WinHTTP to establish communications with a command-and-control server. Once successfully connected, fffmpeg.exe sent the server passwords harvested from browsers and data about the compromised host, including hostname, operating system details, processor architecture, program working directory, and the user name. Advertisement
The researchers said fffmpeg.exe also downloaded the file chrome_installer.exe from the IP address 45.120.177.178. chrome_installer.exe went on to execute a binary and several Python scripts that were responsible for stealing the passwords saved in browsers. fffmpeg.exe is associated with a known malware family called GateDoor/Rustdoor. The exe file was already flagged by 30 endpoint protection engines. Enlarge / A screenshot from VirusTotal showing detections from 30 endpoint protection engines.Rapid7
The number of detections had grown to 38 at the time this post went live.
The researchers warned that the process of disinfecting infected devices will require care. They wrote: To remediate this issue, affected users should: Reimage any endpoints where JAVS Viewer 8.3.7 was installed. Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate. Reset credentials for any accounts that were logged into affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed. Attackers may have stolen credentials from compromised systems. Reset credentials used in web browsers on affected endpoints. Browser sessions may have been hijacked to steal cookies, stored passwords, or other sensitive information. Install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems. The new version does not contain the backdoor present in 8.3.7.
Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. All organizations running JAVS Viewer 8.3.7 should take these steps immediately to address the compromise.
The Rapid7 post included a statement from JAVS that confirmed that the installer for version 8.3.7 of the JAVS viewer was malicious.
We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems, the statement read. We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.
The statement didnt explain how the installer became available for download on its site. It also didn’t say if the company retained an outside firm to investigate.
The incident is the latest example of a supply-chain attack, a technique that tampers with a legitimate service or piece of software with the aim of infecting all downstream users. These sorts of attacks are usually carried out by first hacking the provider of the service or software. Theres no sure way to prevent falling victim to supply-chain attacks, but one potentially useful measure is to vet a file using VirusTotal before executing it. That advice would have served JAVS users well. reader comments 16 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Promoted Comments Peevester It should be noted that ffmpeg (note two Fs and not three!) is real software, and part of many open source and even commercial packages. Don’t just panic and remove it – if you find a three-f version, or one in a place you don’t expect to find executables, run it through virustotal.
Masquerading as software that almost everyone will have on their system someplace is nasty! May 23, 2024 at 11:06 pm SnoopCatt "We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems… etc etc"
I can understand that Justice AV Solutions may not know yet how their product became infected, but surely their statement should include something to say that they are investigating.
Or are they just hoping to acknowledge, do nothing and move on? May 23,2024 at 11:21 pm johnd_2 Interesting that their website fails to mention this. It also makes me wonder how confident you can be about the authenticity of any court recording made with this system if they can be compromised like this. May 24, 2024 at 3:08 am Xenoveritas My money is on an inside job. Probably one of the devs got a brand new crypto wallet in return for swapping out the executable. I would definitely not trust the company when they say their source code is safe. Excuse me, someone repackaged your code and hosted it on your website. I’m guessing nothing is secret or safe at that company anymore.The one reason to think it might not be an inside job was that the attacker didn’t use the original code signing certificate and instead signed the malicious installer with a different one. If it were an inside job, it’s likely the attacker would have used the official certificate. So I’d say it’s more likely someone external compromised AV Solution’s download server.
But, of course, without more information from them, it’s impossible to know how the malicious installer entered their systems and wound up on their server. Their response certainly doesn’t rule out either an inside job or a hacker with access to more than just their website. May 24, 2024 at 3:16 am Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars