Author of the Pale Moon browser information about the compromise of the archive.palemoon.org server, which stored an archive of past browser releases up to and including version 27.6.2. During the hack, the attackers infected all executable files with Pale Moon installers for Windows located on the server with malware. According to preliminary data, the substitution of malware was carried out on December 27, 2017, and was detected only on July 9, 2019, i.e. remained unnoticed for a year and a half.
The problematic server is currently offline for investigation. Server from which current releases were distributed
Pale Moon is not affected, the problem only affects old Windows versions installed from the archive (releases are moved to the archive as new versions are released). During the hack, the server was running Windows and was running in a virtual machine rented from the operator Frantech/BuyVM. It is not yet clear what kind of vulnerability was exploited and whether it was specific to Windows or affected some running third-party server applications.
After gaining access, the attackers selectively infected all exe files associated with Pale Moon (installers and self-extracting archives) with Trojan software , aimed at stealing cryptocurrency by replacing bitcoin addresses on the clipboard. Executable files inside zip archives are not affected. Changes to the installer may have been detected by the user by checking the digital signatures or SHA256 hashes attached to the files. The malware used is also successful most current antiviruses.
On May 26, 2019, during the activity on the server of attackers (it is not clear whether these were the same attackers as in the first hack or others), the normal operation of archive.palemoon.org was disrupted - the host was unable to reboot, and the data was damaged. This included the loss of system logs, which could have included more detailed traces indicating the nature of the attack. At the time of this failure, administrators were unaware of the compromise and restored the archive to operation using a new CentOS-based environment and replacing FTP downloads with HTTP. Since the incident was not noticed, files from the backup that were already infected were transferred to the new server.
Analyzing the possible reasons for the compromise, it is assumed that the attackers gained access by guessing the password to the hosting staff account, gaining direct physical access to the server, attacking the hypervisor to gain control over other virtual machines, hacking the web control panel, intercepting a remote desktop session (RDP protocol was used) or by exploiting a vulnerability in Windows Server. The malicious actions were carried out locally on the server using a script to make changes to existing executable files, rather than by re-downloading them from outside.
The author of the project claims that only he had administrator access to the system, access was limited to one IP address, and the underlying Windows OS was updated and protected from external attacks. At the same time, RDP and FTP protocols were used for remote access, and potentially unsafe software was launched on the virtual machine, which could cause hacking. However, the author of Pale Moon is inclined to believe that the hack was committed due to insufficient protection of the virtual machine infrastructure of the provider (for example, at one time, through the selection of an insecure provider password using the standard virtualization management interface OpenSSL website).
Source: opennet.ru