JAVS Software Compromised in Supply Chain Attack
An alarming supply chain attack has struck Justice AV Solutions (JAVS), a leading provider of courtroom audio-video recording technology.
Cybersecurity researchers have uncovered a malicious backdoor planted in JAVS's Viewer software, granting remote access to systems running the compromised version.
JAVS's products are widely deployed across the legal sector, with over 10,000 installations worldwide in courtrooms, law offices, correctional facilities and government agencies. The backdoored software represents a severe risk to the confidentiality and integrity of these critical environments.
American cybersecurity firm Rapid7, which conducted a comprehensive investigation into the incident now tracked as CVE-2024-4978, published detailed findings on May 22nd. Their analysis confirmed that version 8.3.7 of the JAVS Viewer software contained a backdoored installer that allowed attackers to gain full control over compromised systems.
It was the cyber threat intelligence team at S2W Talon that initially spotted the malicious JAVS Viewer 8.3.7 installers in early April and linked the malware payload to the Rustdoor/GateDoor family of threats. Their findings prompted Rapid7's deeper investigation.
According to Rapid7, the malicious installer contained a backdoor binary masquerading as the legitimate ffmpeg multimedia tool fffmpeg.exe. When executed, it established covert communications with a command-and-control server operated by the attackers, transmitting system details and awaiting further instructions.
JAVS has acknowledged the incident and taken steps to mitigate the threat. In a statement, they confirmed removing all compromised software versions, resetting passwords, and auditing internal systems to ensure no persisting malware. However, the origin of the attack remains unclear.
"We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems." - saidJAVS
"The file in question did not originate from JAVS or any associated third party," the company stated. "We are revisiting our release process to strengthen file certification and validation."
The potential impact is staggering given JAVS's ubiquity in sensitive legal environments where extremely confidential data is handled routinely. Rapid7 and JAVS recommend all systems running the backdoored 8.3.7 version must be completely re-imaged and all credentials reset to eliminate the attackers' persistence capabilities.
"Manually check for file fffmeg.exe: If the malicious file is found or detected, we recommend a full re-image of the PC and a reset of any credentials used by the user on that computer."
"If Viewer 8.3.7.250 is the version currently installed, but no malicious files are found, we advise uninstalling the Viewer software and performing a full Anti-Virus/malware scan. Please reset any passwords used on the affected system before upgrading to a newer version of Viewer 8."
This attack recalls the four years old SolarWinds incident where multiple US government systems and networks were infiltrated by hackers. It also highlighted the ever-increasing risks and severe consequences of supply chain compromises, where malicious code piggybacks on legitimate software distributions to infiltrate target networks.
The Xz-Utils backdoor was an example of a possible Linux supply chain attack that was recently stopped before its execution.
Legal and judicial entities must remain vigilant and prioritize cybersecurity resilience to maintain the integrity of their core functions.