Suspected supply chain attack backdoors courtroom recording software

May 24, 2024 TH Author

Justice is served… or should that be saved now that audio-visual software deployed in more than 10,000 courtrooms is once again secure after researchers uncovered evidence that it had been backdoored for weeks.

The incident is being treated as a suspected supply chain attack at Justice AV Solutions (JAVS) by researchers at security shop Rapid7, which launched an investigation following an alert in a customer’s MDR solution.

JAVS is a Kentucky-based software vendor that specializes in developing apps for use in courtrooms, prisons, and lecture theaters, among others. One of its installers is believed to have been poisoned by an unknown attacker and anyone running JAVS Viewer v8.3.7 should probably spring into action right away.

Mitigating the threat, tracked as CVE-2024-4978 (8.7), is a little more technical than simply upgrading to a secured version. Given that the backdoor allowed attackers full access to infected systems, and as a result could have established persistence, Rapid7 analysts say a full re-imaging job is required.

“Reimage any endpoints where JAVS Viewer 8.3.7 was installed,” the ten-strong analyst crew blogged. “Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate.

“Reset credentials for any accounts that were logged into affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed. Attackers may have stolen credentials from compromised systems.”

Credentials used in web browsers should also be reset since sessions could be hijacked to steal cookies, passwords, and other secrets. Only after these steps are taken should users install the latest safe version of the software (8.3.9 or later).

Examining the installer, Ipek Solak, the detection and response analyst at Rapid7 who discovered the issue, spotted a binary called fffmpeg.exe that was quickly outed as one that provided remote access via a command and control (C2) server.

Quick note: any sightings of ffmpeg.exe in the installer are fine – it’s supposed to be there. Three f’s mean you’re in trouble. Two is fine.

fffmpeg.exe has previously been linked with the known GateDoor/Rustdoor malware family first discovered by S2W earlier this year, and running its SHA1 hash through VirusTotal reveals multiple vendors flagging it as a malicious dropper. It was, we’re told, also signed using a certificate registered to “Vanguard Tech Limited”, rather than “Justice AV Solutions Inc” like all the other legitimate files in the installer.

In practice, the binary collected system details and sent them back to the attacker via the C2 channel. It allowed attackers to run obfuscated PowerShell scripts, which were revealed to bypass anti-malware protections, disable Event Tracing for Windows, and download an additional payload.

Attackers would then use additional binaries to scrape browser credentials, hence the need for potential victims to reset theirs before upgrading to a safe version.

Disclosure timeline and JAVS’ response

The first eyes on JAVS came in early April after a threat intelligence researcher at S2W Xeeted about malware being hosted on the vendor’s downloads page, but it didn’t get much attention at the time.

It was over a month later, on May 10, when a Rapid7 customer’s MDR picked up an iffy-looking file, prompting the company’s analysts to investigate. By the time Rapid7 traced the source to JAVS’ downloads page, it reckons the malware was no longer hosted there.

We’re still none the wiser as to why this is the case, or who removed it from the site. We got in touch with JAVS but didn’t receive an immediate response.

Days later, a separate malicious installer was found on the JAVS downloads page, different from the iffy file that thrust Rapid7 into action.

“This confirms that the vendor site was the source of the initial infection,” Rapid7 claimed.

We couldn’t get a hold of JAVS for its side of the story, but it did provide a statement to the researchers, saying it worked with authorities to understand what was happening, and now believes its downloads page is safe and free from malware.

“The file in question did not originate from JAVS or any 3rd party associated with JAVS,” said the vendor. “We highly encourage all users to verify that JAVS has digitally signed any JAVS software they install.

“Any files found signed by other parties should be considered suspect. We are revisiting our release process to strengthen file certification. We strongly suggest that customers keep updated with all software releases and security patches and use robust security measures, such as firewalls and malware protection.”

JAVS added that its own technicians usually install the software that was backdoored and they always validate their installations.

“We appreciate your understanding and cooperation in maintaining a secure environment for all our users. If you have any questions or concerns, please do not hesitate to contact our support team at 1-877-JAVSHLP (877-528-7457).”

The number of affected users isn’t known. We asked JAVS and will update the story when we know more. ®