Hackers infiltrated a widely used courtroom recording platform, Justice AV Solutions (JAVS), by inserting a backdoor into a software update, granting them complete control over the systems. This software is utilized in over 10,000 locations globally, including jails and prisons, to record various events such as court hearings, lectures, and council meetings.
Following the discovery of a security flaw in the previous version of the JAVS Viewer software, the company promptly took action to address the issue. JAVS announced that they had detected attempts to substitute their Viewer 8.3.7 software with a compromised file, prompting them to remove all versions of Viewer 8.3.7 from their website, reset passwords, and conduct a thorough internal audit of their systems. They assured users that all files currently available on their website are authentic and free of malware, and that no source code, certificates, or other software releases were compromised.
The contaminated file, containing malware, was not linked to JAVS or any affiliated third party. As a precautionary measure, the company advised users to ensure that any JAVS software they install is digitally signed by the company. Additionally, they recommended manual checks for the file ‘fffmeg.exe’ and suggested a full re-image of the PC and a password reset if the malicious file is detected.
Cybersecurity firm Rapid7 investigated the issue and discovered that the corrupted JAVS Viewer software contained a backdoored installer, providing attackers with full access to affected systems. This backdoor installer was associated with the GateDoor and Rustdoor malware family, which can execute various malicious actions such as collecting information, downloading additional files, and executing commands.
Rapid7 identified the issue as CVE-2024-4978 and collaborated with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to disclose the vulnerability. The malicious versions of the software were signed by “Vanguard Tech Limited,” allegedly based in London. Rapid7 advised users to reimage all endpoints where the software was installed and reset credentials on web browsers and accounts logged into affected endpoints.
The problem first came to light on social media in April when a threat intelligence researcher reported that malware was hosted on the official JAVS website. Subsequently, Rapid7 responded to a client’s alert on May 10 and linked an infection back to an installer downloaded from the JAVS website. Researchers later found another infected installer file on the JAVS website, confirming it as the source of the initial infection.
In conclusion, the cyber incident involving the compromised JAVS Viewer software underscores the importance of vigilance and prompt action to address security vulnerabilities. Users must exercise caution when installing software and ensure that they are using legitimate, digitally signed versions to mitigate the risk of potential cyber threats.