Software and its purpose
Justice AV Solutions (JAVS) uses its technologies to capture events such as lectures, court proceedings, and council meetings, and they have over 10,000 installations worldwide. It is available for download from the vendor's website and is a Windows installer package.
The discovery
However, the company announced this week that it had uncovered a security flaw in an earlier version of its JAVS Viewer program.
Through continuing monitoring and consultation with cyber authorities, the company discovered attempts to replace its Viewer 8.3.7 software with a tainted file.
The company removed all versions of Viewer 8.3.7 from the JAVS website, changed all passwords, and thoroughly assessed all JAVS systems. It also determined that all currently available files on the JAVS.com website are legitimate and free of malware. The company also confirmed that no JAVS source code, certificates, systems, or other software releases were affected during this event.
The backdoor
The malicious file, which contained malware, "did not originate from JAVS or any third party associated with JAVS," and the business advised users to ensure that any software they installed was digitally signed.
Rapid7, a cybersecurity firm, published an investigation of the vulnerability on Thursday, revealing that the compromised JAVS Viewer program — which opens media and logs files in the suite — contains a backdoored installer that allows attackers full access to an infected system.
Installation and communication
The malware sends data about the host machine to the threat actors' command-and-control (C2) servers. Rapid7 identified the bug as CVE-2024-4978 and stated that it collaborated with the CISA to coordinate the disclosure of the problem.
Rapid7 stated that the malicious copies of the software were signed by "Vanguard Tech Limited," which is reportedly headquartered in London.
Rapid7's alert emphasized the importance to reimaging all endpoints where the software was installed, as well as resetting credentials on web browsers and any accounts authenticated into impacted endpoints, both local and remote.
Data harvesting
Simply uninstalling the software is insufficient, as attackers could have installed further backdoors or malware. They wrote that reimagining allows for a fresh start.
"It is important to completely re-imagine compromised endpoints and reset associated passwords to guarantee that attackers have not persisted via backdoors or stolen credentials.
A threat intelligence researcher originally raised the matter on X (previously Twitter) in April, claiming that "malware is being hosted on the official website of JAVS."
On May 10, Rapid7 responded to a client's system warning and traced an infection to an installer downloaded from the JAVS website. The malicious file that the victim had downloaded appears to have been withdrawn from the website, and it is unclear who did so.
Additional malware
A few days later, the researchers uncovered another installer file carrying malware on the JAVS website.
Software updates have become a focus in cybersecurity because end users frequently click "update" when requested, or they have them enabled automatically.
Several firms, most notably SolarWinds and 3CX, have grappled with nation-state intrusions that used the update process to secretly implant malware.