What happened at Eltima, and how can you stay safe?

On 19 October 2017, for a period of just over seven hours, anyone who downloaded software – specifically the apps Folx and Elmedia Player – from the Eltima Software site got an unexpected present: Proton.C malware. Now the dust has settled, and Eltima’s servers have been cleansed, taken apart, made even more robust, and put back online, it’s worth taking stock, and thinking how to avoid getting caught in the future.

Thankfully this particular hack affected very few users: Eltima estimates less than two thousand. But next time, it could affect a much bigger vendor, and run for longer before it is detected. Even Apple-supplied products are not immune – remember XcodeGhost, which loaded so many iOS apps in the iTunes App Store with malware back in 2015?

The problem was first noticed by ESET’s security researchers, who informed Eltima, who in turn swiftly took their servers offline and addressed the hack and malware. Although this affected copies of Eltima products which are sold direct to the public, and not those in the Mac App Store, Apple was also involved very early.

The malware distributed to those couple of thousand users who downloaded infected apps is a remote access Trojan (RAT), which is sold to anyone prepared to pay the price. It had previously been used to infect the open source video app HandBrake with Proton.B, which has been analysed by Patrick Wardle and others.

Whoever did this abused developer certificates in the name of Clifton Grimm, which had either been generated or stolen for the purpose. Once again, software signatures didn’t stop malware from being distributed and installed.

Eltima discovered that the vulnerability which had been exploited to accomplish the breach of their servers was in a JavaScript library, tiny_mce, which had not been patched to the latest version. JavaScript, you will recall, was intended to be safe enough to use over the web. tiny_mce doesn’t seem to have a particularly poor security record, and is quite widely used in content management systems like Joomla, although there have been reports of cross-site scripting (XSS) and arbitrary script injection exploits in the past.

Eltima’s security experts then worked with ESET and Apple to clean up their servers and implement a recovery plan. This included blocking access by FTP and SSH, blocking access from suspect IP addresses, tightening up access rights, updating scripts, removing tiny_mce access as much as possible and updating its libraries, and a complete revision of server security.

Apple immediately revoked the abused security certificates, then pushed out an update to the configuration data for its Malware Removal Tool, MRT, on 22 October, and probably fully revoked security certificates in a Gatekeeper configuration data update which was pushed to Macs on 28 October.

The end result is that Eltima’s servers are back online, with a clean bill of health, and far more robustly defended against any future attack. In fact, they are now probably among the lowest-risk sites for software downloads.

There are some important lessons we can all take home. No servers are immune from attack, although clearly some are more vulnerable than others. Downloading software and updates from anywhere, even the App Store, carries a certain risk.

But it’s a risk which is greatest in the earliest hours after an attack, before anyone has detected the malware, and well before most anti-virus software can even recognise it. This is because the majority of software which tries to protect us from malware relies on signatures, such as those for Apple’s XProtect, and in a different way by Gatekeeper.

So having good conventional anti-virus protection is not actually the most effective solution. XProtect, Gatekeeper, and traditional products help limit the spread, but they do nothing to stop an attack in its initial stages. For that, you need a predictive approach based on recognising likely malware behaviour, as used by Objective-See’s products and Sqwarq’s DetectX.

There’s something to be said for users not installing their latest purchases and updates for a day or two after downloading, to give time for any problems to become apparent. But we’re always keen to try software out the instant that we have downloaded it. Some updating systems, such as the widely-used Sparkle, also make that almost impossible to achieve.

I had hoped (as I have for each major version of macOS) that High Sierra would have introduced new malware protection which adopted a predictive approach, but that doesn’t seem to be the case.

Another valuable insight in this unfortunate incident is the close collaboration between Eltima, ESET, and Apple. I often criticise Apple for its many misdemeanours, but its security response is usually first class. In this case, although Eltima is an App Store vendor, it was its non-Store products which had been attacked; it would have been so easy for Apple to have walked away and left Eltima’s staff to sort their problem. Instead, Apple showed how well it supports vendors of macOS software to keep the platform as clean as possible.

Finally, thanks to the hard work put in by security staff at Eltima, ESET, and Apple, it is safe once again to download products from Eltima. I fancy their servers are now far safer than those of many other perfectly diligent vendors.

But we still need to look out for who is next.