In context: Supply chain attacks are usually conceived to target a specific company by infecting a single element involved in the manufacturing or distribution of a software product. Once the supply chain is compromised, all downstream users and customers of the affected company can be easily targeted as well.
Justice AV Solutions (JAVS) provides software products to more than 10,000 courtrooms in the US and around the world. The 35-year-old company was recently affected by a dangerous supply chain attack, in which unknown cybercriminals were able to implant their own backdoor into a supposedly legitimate, official software download.
As reported by Rapid7, the supply chain attack compromised the JAVS Viewer 8.3.7 program included in the JAVS Suite 8 product. JAVS Suite is a “database-centered” software designed to create, manage, and view digital recordings of “critical meetings” in courtrooms and business environments. JAVS describes it as a “complete AV management” suite running on Windows 10 or later PC operating systems.
As part of the main JAVS Suite, JAVS Viewer allows employees to open and manage previously recorded logs and media files. Version 8.3.7 of JAVS Viewer was found to be infected with a backdoor and was seemingly hosted on JAVS’ own servers, Rapid7 confirmed. This means that all customers using that specific version of the software should take serious mitigation measures to avoid unpleasant surprises in the future.
The backdoor was digitally signed to avoid triggering initial security warnings, although the signing entity was “Vanguard Tech Limited” and not “Justice AV Solutions Inc.” as it should have been. Once installed, the compromised JAVS Viewer was designed to connect to remote command-and-control servers and wait for further orders. The malware would then steal sensitive data, including hostname and OS details, browser passwords, and more.
The malicious executable (fffmpeg.exe) is known to be part of the GateDoor/Rustdoor malware family and has already been flagged by many security vendors and AV solutions. JAVS officially acknowledged the supply chain attack on its website, stating that the incident (tracked as CVE-2024-4978) was now resolved with a new release of the JAVS Viewer program.
According to Rapid7 analysts, the JAVS backdoor incident could have lasting consequences, including compromised systems, stolen passwords, and unauthorized remote access.
All users of JAVS Viewer 8.3.7 should completely re-image any endpoint system where the program is used, as simply uninstalling or updating the software alone isn’t enough to eradicate the threat. Access credentials and passwords for system accounts and web browsers should be reset as well.