Courtroom recording software compromised with backdoor installer

A popular brand of recording software used widely in courtrooms, jails and prisons has been compromised by hackers, allowing them to gain full control of a system through a backdoor implanted in an update to the tool.

Justice AV Solutions (JAVS) is used to record events like lectures, court hearings and council meetings, with more than 10,000 installations of their technologies worldwide. It can be downloaded through the vendor's website and is shipped as a Windows-based installer package. 

But this week, the company said it identified a security issue with a previous version of its JAVS Viewer software.

“Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file,” the company said in a statement on Thursday. 

“We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems. We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.” 

The malicious file which contained malware “did not originate from JAVS or any 3rd party associated with JAVS” and the company urged users to verify that the company has digitally signed any software they install.

Cybersecurity firm Rapid7 published an analysis of the issue on Thursday, finding that the corrupted JAVS Viewer software — which opens media and logs files in the suite — has a backdoored installer that gives attackers full access to an affected system. 

The malware transmits data about the host system to a command-and-control (C2) server belonging to the threat actors. Rapid7 tracked the issue as CVE-2024-4978 and said it worked with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on coordinating disclosure of the problem. 

Rapid7 said the malicious versions of the software were signed by “Vanguard Tech Limited,” which is allegedly based in London. 

In its advisory, Rapid7 stressed the need to reimage all endpoints where the software was installed, and to reset credentials on web browsers and for any accounts logged into affected endpoints, both local and remote. 

“Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate,” they wrote.

“Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. 

The issue was first publicized on X (formerly Twitter) in April by a threat intelligence researcher who claimed “malware is being hosted on the official website of JAVS.” 

On May 10, Rapid7 responded to an alert on a client’s system and traced an infection back to an installer downloaded from JAVS’ website. The malicious file that had been downloaded by the victim appeared to no longer be available on the website, and it’s unclear who removed it from the page. 

A few days later, the researchers discovered a different installer file containing malware on the JAVS website. 

“This confirms that the vendor site was the source of the initial infection,” they wrote. JAVS did not respond to requests for comment about the discrepancy between their findings and Rapid7’s analysis. 

Software updates have become a focal point in cybersecurity since end users tend to blindly hit “update” when prompted, or they have them automatically enabled. 

Multiple companies, most notably SolarWinds and 3CX, have dealt with nation-state attacks that exploited the update process to surreptitiously install malware.