Eltima Software, a maker of popular applications for macOS, had its website compromised by hackers who replaced the installers for two of its applications with trojanized versions.
This is the latest in a string of software supply chain attacks that happened this year and which affected consumers and companies alike. Abusing the trust between users and software suppliers is a powerful, yet hard to detect, way of infecting systems with malware. This is making software developers a very attractive target for hackers.
The attackers who broke into Eltima’s web server replaced the legitimate installers for Elmedia Player, a free multimedia player, and Folx, a download manager, with malicious versions. The rogue versions were digitally signed with a valid Apple developer certificate and contained an information-stealing trojan called Proton.
Proton can steal session cookies, passwords, PGP and SSH keys, cryptocurrency wallets and a variety of other data from several popular applications. It also opens a backdoor on victims’ systems that enables hackers to execute commands remotely.
Fortunately, the compromise was discovered relatively quickly by researchers from antivirus firm ESET and the malicious installers were only hosted on Eltima’s servers for approximately 24 hours. During that time, about 1,000 users downloaded the files.
The impact could have been much worse, since Elmedia Player reached 1 million users in August. A different supply chain attack last month resulted in malware-infected versions of CCleaner, a Windows system optimization tool, being downloaded by 2.2 million users. However, in that case, the malicious versions were distributed from the software developer’s website for a few weeks.
“To manage the risk of supply chain attacks, organizations are recommended to use a reliable security software and reduce the used software on their machines to a necessary minimum (thus reducing the attack surface),” said Anton Cherepanov, a senior malware researcher at ESET. “Another helpful step is to limit admin rights only to those users who really need them (such as IT admins or security teams). With regard to the partners who could be targeted in a supply chain attack, organizations are advised to choose partners that, in case of an incident, are ready to cooperate transparently and act according to a previously agreed plan.”
There have been several supply chain attacks this year that targeted companies, and even in the CCleaner incident the hackers’ goal was to deploy second-stage malware on computers of select technology firms that used CCleaner on their systems. In August, security researchers from Kaspersky Lab uncovered a separate supply chain attack where hackers inserted a backdoor into a legitimate update for an enterprise server administration tool developed by a company called NetSarang Computer.
Following the breach, Eltima blocked all FTP and SSH accounts on its server, blocked access to the web server from suspicious IP addresses, updated its content management system to the latest version, removed the TinyMCE library where possible and updated the remaining instances to the latest version, limited the web server’s access rights to the filesystem, scanned all of the site’s scripts for malware and cleaned them and made other server security improvements, the Eltima spokeswoman said.
This suggests that the cause of this breach was not a sophisticated attack or spearphishing against a key employee, but a failure to keep a web application and its various components up to date. Unfortunately, this is a common oversight that can have very serious repercussions, as we’ve seen recently with the Equifax breach that resulted from a failure to patch a known vulnerability in Apache Struts.