The author of the browser, Pale Moon, revealed information about unauthorized access to one of the servers from the web browser “archive.palemoon.org”, which kept the archive of previous versions of the browser up to and including version 27.6.2.
In this access the attackers infected with malware all executable files on the server with Pale Moon installers for Windows. According to preliminary data, the malware replacement was performed on December 27, 2017 and was detected only on July 9, 2019, that is, a year and a half went unnoticed.
The server is currently disabled for investigation. The server from which the current editions of Pale Moon were distributed did not suffer, the problem affects only old versions of Windows installed from the server already described (old versions are moved to this server when new versions are available).
After gaining access, the attackers selectively infected all the exe files related to Pale Moon which are the installers and self-extracting files with Win32 / ClipBanker.DY Trojan software intended to steal cryptocurrencies by replacing bitcoin addresses in the swap buffer.
Executable files within zip files are not affected. The user could detect changes in the installer by checking the SHA256 attached to the hashes or digital signature files. The malware used is also successfully detected by all relevant antivirus programs.
During the hack to the Pale Moon server, the author of the browser details that:
“The server ran on Windows and was launched on a virtual machine leased from the operator Frantech / BuyVM. "
It is not yet clear what type of vulnerability was exploited and whether it is specific to Windows or whether it affected any running third-party server applications.
About the hack
On May 26, 2019, in the process of activity on the attackers' server (it is not clear if they are the same attackers as when the first hack was carried out or others), the normal functioning of archive.palemoon.org was broken- The host failed to reboot and the data was corrupted.
Inclusion of system logs was lost, which could include more detailed traces indicating the nature of the attack.
At the time of this ruling, administrators were unaware of the commitment and they restored the file's work using the new CentOS-based environment and replacing downloading via FTP with HTTP.
As the incident was not seen on the new server, the backup files that were already infected were transferred.
When analyzing the possible causes of compromise, Attackers are assumed to have gained access by obtaining a password for an account from the hosting staffHaving gained physical access to the server, attacking the hypervisor to control other virtual machines, hacking into the web control panel, and intercepting a remote desktop session was relatively straightforward.
On the other hand, it is believed that the attackers used RDP or exploited a vulnerability in Windows Server. The malicious actions were performed locally on the server using a script to make changes to the existing executable files and not reloading them from outside.
The author of the project ensures that only he had administrator access to the system, access was limited to an IP address and that the basic Windows operating system was up-to-date and protected from outside attacks.
At the same time, RDP and FTP protocols were used for remote access and potentially insecure software was released on the virtual machine, which could be a cause of the hack.
However, the author of Pale Moon favors the version in which the hack was carried out due to insufficient protection of the provider's virtual machine infrastructure (for example, the OpenSSL website was hacked through the selection of an untrusted vendor password using the standard virtualization management interface)