Supply Chain Attack Hits Maker of Popular MacOS Apps

Eltima Software, a maker of popular applications for macOS, had its website compromised by hackers who replaced the installers for two of its applications with trojanized versions.

This is the latest in a string of software supply chain attacks that happened this year and which affected consumers and companies alike. Abusing the trust between users and software suppliers is a powerful, yet hard to detect, way of infecting systems with malware. This is making software developers a very attractive target for hackers.

The attackers who broke into Eltima’s web server replaced the legitimate installers for Elmedia Player, a free multimedia player, and Folx, a download manager, with malicious versions. The rogue versions were digitally signed with a valid Apple developer certificate and contained an information-stealing trojan called Proton.

Proton can steal session cookies, passwords, PGP and SSH keys, cryptocurrency wallets and a variety of other data from several popular applications. It also opens a backdoor on victims’ systems that enables hackers to execute commands remotely.

Fortunately, the compromise was discovered relatively quickly by researchers from antivirus firm ESET and the malicious installers were only hosted on Eltima’s servers for approximately 24 hours. During that time, about 1,000 users downloaded the files.

The impact could have been much worse, since Elmedia Player reached 1 million users in August. A different supply chain attack last month resulted in malware-infected versions of CCleaner, a Windows system optimization tool, being downloaded by 2.2 million users. However, in that case, the malicious versions were distributed from the software developer’s website for a few weeks.

“To manage the risk of supply chain attacks, organizations are recommended to use a reliable security software and reduce the used software on their machines to a necessary minimum (thus reducing the attack surface),” said Anton Cherepanov, a senior malware researcher at ESET. “Another helpful step is to limit admin rights only to those users who really need them (such as IT admins or security teams). With regard to the partners who could be targeted in a supply chain attack, organizations are advised to choose partners that, in case of an incident, are ready to cooperate transparently and act according to a previously agreed plan.”

There have been several supply chain attacks this year that targeted companies, and even in the CCleaner incident the hackers’ goal was to deploy second-stage malware on computers of select technology firms that used CCleaner on their systems. In August, security researchers from Kaspersky Lab uncovered a separate supply chain attack where hackers inserted a backdoor into a legitimate update for an enterprise server administration tool developed by a company called NetSarang Computer.

According to an Eltima spokeswoman, the hackers broke into the company’s web server by exploiting a vulnerability in TinyMCE, a popular JavaScript library that implements an HTML editor.

Following the breach, Eltima blocked all FTP and SSH accounts on its server, blocked access to the web server from suspicious IP addresses, updated its content management system to the latest version, removed the TinyMCE library where possible and updated the remaining instances to the latest version, limited the web server’s access rights to the filesystem, scanned all of the site’s scripts for malware and cleaned them and made other server security improvements, the Eltima spokeswoman said.

This suggests that the cause of this breach was not a sophisticated attack or spearphishing against a key employee, but a failure to keep a web application and its various components up to date. Unfortunately, this is a common oversight that can have very serious repercussions, as we’ve seen recently with the Equifax breach that resulted from a failure to patch a known vulnerability in Apache Struts.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

One thought on “Supply Chain Attack Hits Maker of Popular MacOS Apps

Comments are closed.