Justice AV Solutions incident (CVE-2024-4978)


Justice AV Solutions incident (CVE-2024-4978)

In May 2024 Rapid7 detected (report) supply chain attack on Justice AV Solutions (JAVS) Viewer software. First mentions of JAVS official website serving malicious installer appeared a month earlier, in April, on S2W X account (post). It means that customers could get infected by software downloaded from official vendor site for at least a month. Who are the customers? JAVS Viewer is used worldwide by courtrooms, legal offices and government agencies, which means environments with a lot of sensitive data.

How did it happen? Exact method is not yet known, but attackers managed to modify Viewer installer with additional file (fffmpeg.exe) that upon execution was opening communication channel back to a malicious server and stealing data, like saved passwords. Core part of software was digitally signed by JAVS, the malicious file was also signed, but with a different certificate issued to Vanguard Tech Limited.

Why it took such a long time to detect? For antivirus, it's a new, unknown file, comes from reputable vendor and correct website. For static security scanners, there's nothing suspicious, as the malicious part is encrypted. Firewall would allow any communications, because malicious server is new, so doesn't have bad reputation and connections are made by digitally signed file, so they're by default allowed. In case of EDR/XDR - first, the evil operations would have to be sent to the cloud for inspection. Because of a huge amount of data that every EDR agent sees, it often applies event sampling, which means that many events are just discarded and analysts never get to see them. At some point suspicious activity will get registered, but then it's just a few small events hidden in sea of benign ones, so it takes time before anyone will take notice.

How can we help with supply chain attack detection? We focus only on applications and network connections they're making, which means that we don't generate many events and don't need to sample them. If something happened, we send it out to our cloud engine and our allowlist database filters out all expected communications. In case of JAVS incident you could immediately see that endpoints in your organization are running software made by Vanguard Tech Limited, which on its own, could trigger investigation by your security team, moreover our system would raise alert, because connections made by modified Viewer are unexpected for vendor that signed the application. Finally, you could also check which endpoints are running the bad Viewer v8.3.7 to find out where to act first.