back to article Font of pwnage: Crims poison well with crypto-jacking code, trickles into PDF editor app

Crooks mounted a crypto-mining scam after hacking into a supplier of an unnamed PDF editor software vendor. Microsoft has reported that as-yet-unidentified hackers compromised some font packages installed by a PDF editor app. The hack was used to push two types of crypto-currency mining app, the cybercrime du jour. Redmond's …

  1. adnim Silver badge
    Holmes

    "The whole exercise is a fine example of a supply chain attack"

    One of the many attack vectors.

    Does this exploit work on all operating systems?

    Maybe the OS handling of fonts is an issue as well as a compromised supply chain.

    Just a thought

    1. Mark 85 Silver badge

      Re: "The whole exercise is a fine example of a supply chain attack"

      Part of this is probably the way apps/programs are installed on Windows. User clicks "install", gets "yes/no" popup and off it runs. I remember some programs decades ago that wanted "yes/no" (and had an option to see the file particulars) for every executable installed. But.. everyone wants "fast" and gives their trust freely with no thinking involved.

      I can understand (to a point) that AV won't always catch this stuff and bring it to the attention of the user, but still one would think that mining apps have some sort of code that's a give away in them.

      1. RobinCM

        Re: "The whole exercise is a fine example of a supply chain attack"

        Presumably the same thing could occur with the various package managers like apt or rpm? They seem to pull down a load of dependencies on the fly, so all somebody has to do is compromise some frequently used library package or whatever, and bingo.

        We've also talked about dynamically linked JavaScript on websites, where the code is hosted elsewhere.

        Seems like there are many opportunities for supply chain type problems to occur.

        1. DCFusor Silver badge

          Re: "The whole exercise is a fine example of a supply chain attack"

          @RobinCM

          I suspect your downvote came either from someone whose bread is buttered by remote hosted JavaScript or some linux fanatic (I'm one but not a downvote at all).

          No one likes it when you expose how shaky the whole house of cards has become...it'd be a really major pita to fix all this. And no, signing isn't going to work any better than it did for the recipients of Stuxnet.

          "If buildings were built the way programmers code, the first woodpecker to come along would destroy the world".

          Any honest programmer who understands how systems work won't be able to disagree with the above.

        2. Michael Wojcik Silver badge

          Re: "The whole exercise is a fine example of a supply chain attack"

          Presumably the same thing could occur with the various package managers like apt or rpm?

          Yes, or the ones that pull source components, such as Maven and NPM.

          Or a developer's account for some popular open-source package is compromised, and malware is injected into the source.

          Supply-chain attacks are becoming more common, and will continue to grow.

  2. Anonymous Coward
    Anonymous Coward

    A small number of users

    > Microsoft reckons the compromise lasted between January and March 2018, and affected only a small number of users, strongly suggesting a fringe developer was targeted.

    So, everyone then.

    1. alt_92

      Re: A small number of users

      So we're all Asian then.

      Remember the broo-ha-ha when node.js NPM got injected with malicious bits?

  3. Rob D.
    Unhappy

    Installer beware

    Hard to read that Microsoft summary of the 'incident' with all of the 'look how fantastic MS Win Def ATP was'. But it does state:

    > "The malicious MSI file was installed silently as part of a set of font packages; it was mixed in with other legitimate MSI files downloaded by the app during installation."

    Wondered if there was a CVE for this or if there's other mitigation not mentioned - silent download and installation of an unsigned MSI file during signed app installation. That seems a much bigger problem to solve than waxing lyrical about how good your AV product is.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019