Stop Updating Your Software (No, Seriously)

Added: 2026-05-04

[00:00:00]Well, well, well. If you wouldn't look at the time, it's supply chain at clock.

[00:00:04]CPUZ and hardware monitor very temporarily were compromised in a supply chain attack. Now, if you're not aware, CPUZ and hardware monitor are very useful tools if you're trying to figure out more information about your computer. Voltages, temperatures, and fan speeds. These are great tools, and because of that, the computer building, the kind of tech enthusiast community uses these tools all the time. and unfortunately they were compromised recently in a supply chain attack that affected a lot of people. Now luckily for me I actually use hardware monitor.

[00:00:32]I had to use hardware monitor when the Intel overclocking issue happened about 2 years ago and I had to figure out if I had like a bad version of the CPU. Uh luckily for me I did not update another instance where not updating me saves me from my own compromise. So between April 3rd to April 10th of this year, the download links on these sites, literally where you click and download the the piece of software, you click here to get the setup in English or whatever, um those links were replaced with a link to a different place, a Cloudflare R2 bucket that served a different version of the.exe. That.exe would now out of nowhere your version of hardware info would have Russian dialogues and that's a little suspicious to begin with. Uh but it would drop a crypt-based sideloading chain. It would use uh NDLL processing through net assembly to do in-memory execution of some payload which eventually would call out to this IP address here to do its evil bidding.

[00:01:21]Right? Not a great place to be if you're trying to securely use the internet.

[00:01:24]Now, there's a few things make this kind of interesting. First of all, in in classic supply chain fashion, this was caught relatively quickly in like a week, which is, you know, pretty short term for a long-term supply chain attack like this. It was caught by people on Reddit talking about, hey, I went to go install hardware monitor 163 and I got hardware info monitors. Just to be very clear, hardware monitor is one tool by CPU ID and then hardware info is a completely separate tool. This is a different tool maintained by a different company used by NASA on the moon, I'm assuming. Um, and what's cool about this, I guess, is that people notice very quickly, oh wait a minute, hardware info monitor. I didn't want this. I wanted hardware monitor. what's going on? And then very quickly on X, it got caught up or people started posting about it and people working at the company reported on it and it got caught in a matter of days and people downloaded and installed this software and noticed very quickly, okay, A, the file name is wrong. B, um, it presents Russian language installation dialogues.

[00:02:19]Hm. Uh, and an immediate indicator that it was not built by CPO ID, which by the way is a French company, right? So French company serving an English compiled or English targeted piece of software uh, is not presenting Russian language dialogues with a different file name. Not a great way to start off your Tuesday. Okay. Uh so yeah, again it uses uh DL sideloading which basically is when a binary depends on a particular DL, you can ship that same DL name with the binary with malicious features inside. And because that binary depends on that DL, the DL can run malicious code, right? And then ultimately call out to this IP address here on this high port which uh Break Glass who's writing this report, cool report. I'll put the link in the description below. uh they call out that they did this high port because it would actually avoid detection as a non-standard port. But again, whenever I see a network traffic, any communication going out to a high port like this, like 31415, I'm like, what the freak is going on? Either it's diagnostic software for some weird embedded device, or it's C2 communication. The easiest way to blend in with normal traffic is register a legitimate domain name and just use TLS with Let's Encrypt and like you're never going to get caught by anybody unless that domain gets flagged, right? And so that IP address actually is associated to a header allocation, but is operated by a company in the Caribbean, which is weird. But this is where it gets even more interesting. If you look at the the passive DNS traffic related to that IP address in the past, it notes a few other campaigns, right? So a while back, I think it was like March of last year or maybe it was this year. Yeah, a FileZilla campaign. So FileZilla, if you're not aware, also got compromised.

[00:03:52]All right. So, if you're a young in or you're not like a old 31-year-old like me, um you may remember, you may not have heard of FileZilla, but FileZilla is a an FTP solution, SFTP, uh that allows you to connect to servers and upload and download software over FTP, right? This is actually literally how I used to deploy my uh PHP and MySQL applications on Apache, right? Little little WAMP stack, Zamstack. Um, and so this is a fake website that is used to deploy a Trojanized version of FileZilla that was seen back in March of this past year. So if you look at the actual um the traffic related to that same IP address, you'll notice that this same infrastructure was used for that compromise. So we're starting to see I mean they say a Russian speakaking actor, but it to me it's just somebody that wants to appear like a Russian speaking actor. So it could be literally any nation in the world in my opinion uh that is using the same infrastructure for a variety of either uh supply chain attacks that are compromising software or you know just literal like typo squatting or so squatting uh to get people to download trojanized pieces of software. Now the question on everybody's mind right is how how did this initial access happen? How did we get to a place where this malicious content was being served? You know, a lot of the times to do this kind of attack, you have to have either some kind of internal access where like somebody at the company got paid to do this or they got hacked into, right? And so on CPU.com for a long time, apparently it ran this older version of Apache that was known for 34 different CVEs. Now, a lot of the time Apache itself is not vulnerable. Apache obviously is a welldocumented well audited piece of software that is likely to have you know as little bugs as possible because everyone cares about a zero day in Apache right but Apache like any other HTTP server has a variety of modifications and one of them is mod rewrite that allows you to change URL requests to Apache now this vulnerability is again just a moderate confidence assessment by break glass intelligence on how they think they got in and guys every day it feels like there's another supply chain attack where some major package gets hacked and ultimately somebody gets compromised.

[00:05:54]Their credentials get compromised and ultimately sold on the dark web. And that's why today's video is sponsored by Flare. Guys, info stealer malware is compromising employee devices and their credentials are ending up on the dark web. With Flair's threat intelligence, we can see that they've actually collected over 5 million almost 6 million events of just stealer log collection in the last 3 months. These stealer logs have credentials that have been stolen from people just like you and me that use computers. It's honestly insane. And by searching here on Flare in their global search, you can specify what kind of data you want to see. In just the last 30 days, there have been 19,443 collections just on infected devices being captured in stealer logs, meaning they're pulling credentials off those devices and selling them in some form or fashion on the dark web. What's cool about Flare is all you have to do is put in your identities into the system. No passwords or anything like that. You can just put in your emails and if one of these gets captured in one of these events, they will send you an email with what they found and you can compare that against what you know to be true. Guys, with Flare, you can stay ahead of attackers by looking directly into the eyes of the info stealer economy. Pretty cool. If you want to see if infosaler malware is throwing around your data, go see if Flair is right for you in your organization to stay ahead of attackers.

[00:07:03]Thanks for sponsoring the video, Flare.

[00:07:04]Back to the video. So, this CVE uh allows an attacker to map specific URLs to file system locations that are not intended to be served, potentially exposing serverside scripts or configuration files. With right access to the web route or CMS backend, the attacker can modify download links to point to Cloudflare R2 staging bucket.

[00:07:25]So their assertion here is like hey it is possible that inside of the server there is a YAML file or a JSON file that is accessible via readrite to the Apache server user on the server. Right? And so by exploiting the CVE they were able to have a URL point to that config file and then were able to modify that config file to have one of the download URLs point to the Cloudflare R2 staging bucket. And then to make it even more complicated. So this is a Russianspeaking actor supposedly based on the installer dialogues but the infrastructure was registered in a Chinese registar using uh some registar in Hong Kong but the devices that were being used the physical hosting were actually hosted in an offshore Caribbean company named I'm not going to try to pronounce this here and so what makes this really complicated for people trying to like infer who the threat actor is is a multiple languages multiple locations but also b if you're trying to like prosecute somebody. Well, you know, they they had the attack server on this random offshore Caribbean company, but it was registered to Hong Kong, but they're technically in Russia.

[00:08:31]So, it makes it very complicated for law enforcement to actually do anything, right? Which is really an interesting way of like kind of spreading out how you get uh you know, found out. You're a defender trying to stop your network from getting hacked by something like this or maybe you're just a person at your house and you may think you may have downloaded the wrong version. You know, you can use any kind of IDS IPS to uh you know, get put in these indicators here. So this is the actual uh C2 server that is being talked out to via the malware once it gets downloaded. And this is some amount of other domains that have been seen with the thread actor, right? So you have your uh FileZilla project just installed panel.

[00:09:03]I'm assuming some C2 panel or C panel.

[00:09:05]Um and what's kind of scary is there is rnetopera.org which makes me feel like there's some other campaign that either I missed or like isn't been caught yet where they're like maybe impersonating an opera download. I'm not going to go there right now, but maybe maybe you should.

[00:09:20]you should email me about it. Um, yeah, and these are the files obviously associated, right? You have the hardware monitor. This is the shaw of the sideloaded DL and this is the DL that gets sideloaded. And this is, I think, the same malware, but it gets sideloaded um in the FileZilla campaign, right? So, kind of neat that like they're seeing not only the same C2, but like the same sideloing technique with the same malware being used across all of these.

[00:09:41]And this apparently, yeah, this uh sample goes back all the way to July of 2025. It's kind of interesting. Yeah.

[00:09:46]And they have really good um Snort or Yara signatures here, too. If you want to try to figure out if you're like actively compromised by this, literally just put these into your uh your IDs and IPS and you can figure it out. Anyway guys, as usual, thanks for watching. I appreciate it. If you like this video, hit that like button and let me know what else you want to see on this channel. What else do you want me to cover? What other stuff do you want me to talk about? Let me know down there.

[00:10:05]Now, before you go, I did make a video about a malware campaign that we saw that was just like this with some really interesting opiscation techniques. If you want to check that out, the video is right here. Give you're still here. Go click. Okay, goodbye.