Justice AV Solutions (JAVS) Software Compromised in Supply Chain Attack

May 23, 2024

Justice AV Solutions (JAVS), a company providing video recording software for courtrooms, legal offices, and government agencies, has been targeted in a supply chain attack. The attackers have inserted a backdoor into the installer of the software, enabling them to take control of the compromised systems. The software, with over 10,000 installations worldwide, has had the affected version removed from the JAVS official website.

The company has disclaimed any association with the trojanized software, stating, "did not originate from JAVS or any 3rd party associated with JAVS." Following the discovery of the compromised file, JAVS initiated a comprehensive audit of all systems and reset all passwords to prevent potential future breaches.

In collaboration with cybersecurity authorities, the company identified attempts to replace their Viewer 8.3.7 software with a compromised file. They assured that all current files on their website are genuine and free from malware, and that no JAVS Source code, certificates, systems, or other software releases were compromised in the incident.

The supply chain attack, now tracked as CVE-2024-4978, was investigated by cybersecurity company Rapid7. The S2W Talon threat intelligence group initially spotted the trojanized JAVS installer in early April, associating it with the Rustdoor/GateDoor malware.

The malware, once installed and launched, sends system information to its command-and-control (C2) server. It then executes two obfuscated PowerShell scripts designed to disable Event Tracing for Windows (ETW) and bypass the Anti-Malware Scan Interface (AMSI). Subsequently, an additional malicious payload downloaded from its C2 server drops Python scripts, which start collecting credentials stored in web browsers on the system.

Rapid7 revealed that the backdoored installer, classified by many security vendors as a malware dropper, was downloaded from the official JAVS website. The cybersecurity company has advised JAVS customers to reimage all endpoints where the trojanized installer was deployed. To cut off the attackers' access, it is also recommended to reset all credentials used to log onto potentially compromised endpoints and upgrade the JAVS Viewer software to version 8.3.9 or higher after reimaging the systems.

The company warned, "Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate." They emphasized the importance of re-imaging affected endpoints and resetting associated credentials to ensure attackers have not persisted through backdoors or stolen credentials.

Latest News

• GitLab Patches High-Severity Flaw Allowing Account Takeovers
• CISA Issues Alert over Active Exploitation of Apache Flink Vulnerability
• Sharp Panda Expands Cyber Espionage Reach to African and Caribbean Governments
• GHOSTENGINE Uses Vulnerable Drivers to Disable EDRs in Sophisticated Cryptojacking Attack
• Microsoft Exchange Server Vulnerabilities Leveraged in Keylogger Attacks