An author of the Pale Moon browser, which goes online under the nickname MoonChild, revealed information about the compromised server archive.palemoon.org, which kept the archive of past browser releases up to version 27.6.2 inclusively.During the hacking attackers infected with malware all executable files on the server with the Pale Moon installers for Windows.
According to preliminary data, the substitution of malware was made on December 27, 2017, and was detected only on July 9, 2019, i.e. a year and a half went unnoticed.
Currently, the problematic server is under investigation.
The server from which the current editions of Pale Moon were distributed did not suffer, the problem affects only old Windows versions installed from the archive (the releases are moved to the archive as new versions become available).
“Only files on the archive server were infected. This never affected any of the main distribution channels of Pale Moon, andarchived versions would only be updated with the next release cycle would happen, at no time any current versions, no matter where they were retrieved from, would be infected”, — reported MoonChild.
During the hacking, the server was running under Windows and was launched in a virtual machine leased from the operator Frantech/BuyVM. What kind of vulnerability was exploited and whether it is specific to Windows or affected any running third-party server applications is not yet clear.
After gaining access, the attackers selectively infected all exe-files related to the Pale Moon (installation and self-extracting archives) with Win32/ClipBanker.DY Trojan software aimed at stealing cryptocurrency by replacing bitcoin addresses in the exchange buffer.
Executable files inside zip archives are not affected. The user could detect changes in the installer by checking SHA256 attached to the digital signature in files or hashes. All relevant antivirus programs also successfully detect the malware usage.
On May 26, 2019, during attackers’ activity on the server (it is unclear if they are same attackers as during the first episode or others), the normal operation of archive.palemoon.org was broken — the host could not reboot and the data was corrupted. Were also lost system logs though they could include more traces indicating the nature of the attack.
At the time of this failure, administrators were unaware of the compromise and restored the work of the archive using the new environment based on CentOS and replacing the download via FTP with HTTP. Since the incident was not seen on the new server, the files from the backup copy that were already infected were transferred.
Analyzing the possible causes of the compromise, it is assumed that the attackers gained access by picking up a password for the hosting personnel account, having obtained physical access to the server, performing an attack on the hypervisor to gain control of other virtual machines, hacking the web control panel, intercepting a remote desktop session. (RDP was used) or exploited a vulnerability in Windows Server.
Attackers performed malicious actions locally on the server using a script to make changes to existing executable files, and not by reloading them from the outside.
The author of the project assures that only he had administrator access in the system, access was limited to one IP address, and basic Windows OS was updated and protected from external attacks. At the same time, remote access were used RDP and FTP protocols, and potentially unsafe software was launched on the virtual machine, which could be a cause of hacking.
Nevertheless, the author of Pale Moon attached to the version that the hacking was done due to insufficient protection of the virtual machines infrastructure of the provider (for example, the OpenSSL website was hacked through the selection of an unreliable provider password using the standard virtualization management interface).
User Review( votes)