Hackers have compromised a popular brand of recording software widely used in courtrooms, jails and prisons, allowing them to take full control of the system through a backdoor built into an update tool.
Justice AV Solutions (JAVS) is used to record events such as conferences, court hearings and board meetings, with more than 10,000 installations of their technology worldwide. It can be downloaded from the vendor’s website and comes as a Windows-based installation package.
But this week, the company said it had identified a security issue with a previous version of its JAVS Viewer software.
Through continued monitoring and cooperation with cyber authorities, we have identified attempts to replace our Viewer 8.3.7 software with a compromised file, the company said in a statement on Thursday.
We have pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords and performed a full internal audit of all JAVS systems. We have confirmed that all files currently available on the JAVS.com website are genuine and free of malware. We have further confirmed that JAVS source code, certificates, systems or other software versions were not compromised in this incident.
The malicious file containing the malware did not come from JAVS or any third party affiliated with JAVS and the company urged users to confirm that the company has digitally signed any software they install.
Cybersecurity firm Rapid7 released an analysis of the problem Thursday, revealing that the compromised JAVS Viewer software that opens media files and saves package files has a backdoor installer that gives attackers full access to the affected system.
The malware transfers data on the host system to a command and control (C2) server owned by the malicious actors. Rapid7 tracked the issue as CVE-2024-4978 and said it was working with the US Cybersecurity and Infrastructure Security Agency (CISA) to coordinate discovery of the issue.
Rapid7 said the malicious versions of the software were signed by Vanguard Tech Limited, believed to be based in London.
In its advisory, Rapid7 noted the need to redisplay all endpoints where the software is installed and reset credentials in web browsers and for all accounts associated with affected endpoints, both local and remote.
Simply uninstalling the software is not enough, as attackers may have planted additional backdoors or malware. Reimaging gives a clean ten, they wrote.
It is imperative to fully resurface affected endpoints and revoke associated credentials to ensure that attackers have not persisted through backdoors or stolen credentials.
The issue was first reported on X (formerly Twitter) in April by a threat intelligence researcher, who claimed the malware was located on the official JAVS website.
On May 10, Rapid7 responded to an alert on the user’s system and traced the infection to an installer downloaded from the JAVS website. The malicious file uploaded by the victim appears to be no longer available on the website and it is unclear who removed it from the site.
A few days later, researchers discovered another installation file containing the malware on the JAVS website.
This confirms that the provider’s site was the source of the initial infection, they wrote. JAVS did not respond to requests for comment on the discrepancy between its results and Rapid7’s analysis.
Software updates have become a cybersecurity hotspot, as end users tend to blindly click on updates when prompted or activate them automatically.
Several companies, including SolarWinds and 3CX, have faced attacks from nation states exploiting the update process to secretly install malware.