iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security researchers spot malicious backdoor in JAVS Viewer courtroom audio/video platform.
Researchers at Rapid7 have observed a supply chain attack impacting a company that provides courtroom recording software to customers around the globe. The company is calling on users of the software to upgrade to the latest version immediately.
According to Rapid7, all users with Justice AV Solutions’ JAV Viewer v8.3.7 are currently at risk, and only a full reimaging of impacted systems will remove any threat.
“Completely reimaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials,” Rapid7’s researchers said in a blog post. “Users should install the latest version of JAVS Viewer (8.3.8 or higher) after reimaging affected systems.”
Rapid7 immediately informed both the vendor and the US Cybersecurity and Infrastructure Security Agency of the issue, with Justice AV Solutions reacting quickly to remediate the impact of the attack.
“Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file,” JAVS said in a statement shared with Rapid7. “We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems. We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.”
According to JAVS’ own website the company’s software is used in “thousands of courts across the world”.
Rapid7’s people spotted the problem on 10 May, when it began an investigation into a binary named fffmpeg.exe, which appeared to be installing alongside versions of JAVS Viewer downloaded from the company’s website on 5 March.
The investigation revealed that the binary had been signed by an Authenticode certificate in the name of “Vanguard Tech Limited” – an entity with no connections to JAVS. The binary appears to belong to the Gatedoor/Rustdoor malware families and was observed executing several PowerShell scripts on infected devices.
The Authenticode certificate appears to have been created on 10 February, with malicious versions of JAVS Viewer being signed on 21 February. X user @2RunJack2 noted that the malware was being served directly from its official download page on 2 April, and then on 17 May, the threat actor – who remains unknown – swapped out an old binary from its command and control infrastructure for a newer one.
“This indicates that the threat actor is actively updating their C2 infrastructure,” Rapid7 said.
For its part, JAVS has confirmed the malicious file did not originate from it or any related third party.
“We highly encourage all users to verify that JAVS has digitally signed any JAVS software they install. Any files found signed by other parties should be considered suspect,” JAVS said, adding that the company is reworking its release process.
“We strongly suggest that customers keep updated with all software releases and security patches and use robust security measures, such as firewalls and malware protection.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
