Author of the Pale Moon browser
The problematic server is currently offline for investigation. Server from which current releases were distributed
Pale Moon is not affected, the problem only affects old Windows versions installed from the archive (releases are moved to the archive as new versions are released). During the hack, the server was running Windows and was running in a virtual machine rented from the operator Frantech/BuyVM. It is not yet clear what kind of vulnerability was exploited and whether it was specific to Windows or affected some running third-party server applications.
After gaining access, the attackers selectively infected all exe files associated with Pale Moon (installers and self-extracting archives) with Trojan software
On May 26, 2019, during the activity on the server of attackers (it is not clear whether these were the same attackers as in the first hack or others), the normal operation of archive.palemoon.org was disrupted - the host was unable to reboot, and the data was damaged. This included the loss of system logs, which could have included more detailed traces indicating the nature of the attack. At the time of this failure, administrators were unaware of the compromise and restored the archive to operation using a new CentOS-based environment and replacing FTP downloads with HTTP. Since the incident was not noticed, files from the backup that were already infected were transferred to the new server.
Analyzing the possible reasons for the compromise, it is assumed that the attackers gained access by guessing the password to the hosting staff account, gaining direct physical access to the server, attacking the hypervisor to gain control over other virtual machines, hacking the web control panel, intercepting a remote desktop session (RDP protocol was used) or by exploiting a vulnerability in Windows Server. The malicious actions were carried out locally on the server using a script to make changes to existing executable files, rather than by re-downloading them from outside.
The author of the project claims that only he had administrator access to the system, access was limited to one IP address, and the underlying Windows OS was updated and protected from external attacks. At the same time, RDP and FTP protocols were used for remote access, and potentially unsafe software was launched on the virtual machine, which could cause hacking. However, the author of Pale Moon is inclined to believe that the hack was committed due to insufficient protection of the virtual machine infrastructure of the provider (for example, at one time, through the selection of an insecure provider password using the standard virtualization management interface
Source: opennet.ru