it firm softserve hacked locked down plundered

[dvo]

https://www.technadu.com/it-firm-softserve-hacked-locked-down-plundered/200133/
miss use of rainmeter and replaced dll's of rainmeter
is there a way to check dll's to be genuine?
if not rainmeter won't run could be a solution?

[Brian]

After reading some of the articles on this, there are some big holes in the story.

Most articles mention that "the attackers replaced Rainmeter.dll with a malicious version". The is a big red flag to me for several reasons. This implies the system was already "exploited" in some way....or worse, the bad guys had physical access to the machine. The attacker would have to know that Rainmeter was present on the system to "exploit" anything. This should have been the main focus of the story since the attacker got into the system somehow.

If Rainmeter was previously installed on this system (and not by the attackers), then that IT person should be fired. Most professional companies do not allow "unauthorized" programs to be installed on critical machines. If it was a standard Rainmeter installation, then a UAC prompt would have occurred when the file was replaced - unless the IT person turned that off. It also seems to strange to go to the trouble of producing a hacked version of Rainmeter.dll when access to the system had already happened (or was planned). Once you have access to the machine, you can do things like this in a much easier way.

I guess another possibility is that the IT person somehow did not get Rainmeter from rainmeter.net, or was tricked into downloading and running the malicious version. I would like to think a quality IT person would not do that, but you never know.

Anyway....

It's unfortunate that Rainmeter was the chosen medium to do this. Any open-source program could have been used.

The Rainmeter installer as well as Rainmeter.exe and Rainmeter.dll are all digitally signed, but that doesn't mean you cannot compile your own version of Rainmeter and make any changes you want. That is the nature of open source software.

We will discuss internally any options that we have (if any).

-Brian

[dvo]

yes your right on that if you got access to it all why put some dll's in rainmeter ( maybe eazy to run after boot without check? )
they where already in the system before placing the dll's i think they already have read / write access so why bother..
and as a it-specialist you had to know it would compromise the system ...
if you install external software on the systems that's rule no. 1 never use unknown software on your secure systems...

[jsmorley]

It always was our intention that Rainmeter be open source, which means that anyone can get the source code and compile a version that does whatever they like. We have no control over that, nor should we.

Just be sure that you only install Rainmeter that you get from https://www.rainmeter.net/, and never, ever turn off UAC on your computer.

And as Brian said, anyone who allows Rainmeter to be installed on a company computer(s) should immediately be fired. It is not designed, nor intended, to be used in a commercial environment.

[dvo]

if you do you will set off your alarm of your house and grant then access.. bit stupid if you do ...

your right on that i even had a system admin who put a open wirreless router on the closed system i'm happy he isn't admin any more...

[jsmorley]

If you want to be sure, you can view the "Properties" of the Rainmeter installer that you get from https://www.rainmeter.net.

Check the "Digital Signatures", and be sure it looks like this:

1.jpg

While anyone can get the source code for Rainmeter and can compile their own version, what they can't do is digitally sign the executables with our certificate. If there is no digital certificate for the version you get from somewhere, or if the certificate doesn't match this one, then don't run it.

The installer itself, and all the .exe and .dll executables deployed by the installer, are digitally signed.

[SilverAzide]

Huh...

More specifically, the damage was reportedly contained to the mail system and some of the auxiliary test environments.

Maybe this is why DeviantArt just perma-banned me for being a "spammer", which is pretty laughable.

[Yincognito]

Yeah, actually the whole thing is laughable, even though it had serious consequences:

- it's not about using Rainmeter at your work place - there's nothing wrong with it in my view (yeah, I know, I again disagree with the official stance and recommendations on this, but this is what having a mind of my own looks like) - it's the downright incompetent employee which downloaded Rainmeter from an untrusted source (basically anything other than this site) or allowed subsequent modifications of the files locally (if that was the case)
- the DeviantArt spammer thing is again probably due to incompetence, since these "decisions" are nowadays actually based on some flawed automated process that just counts whatever traffic and takes one route or another depending on an X>Y approach without any relevant additional parameters (just like the stupid automated responses to questions on Microsoft sites)

In the end, I see that incompetence of all kinds is actually rewarded (which is why these people get into those positions) in the "modern world" and when it comes to place the blame, all of what a clueless nuthead in some office will understand is "don't use this app here or there or ever" or "ban this account or that account cause too much 'suspicious' traffic". In other words, they probably won't bother to look deeper into the matter and solve the root problem, but adopt a superficial stance and make it easier for themselves. This will, of course, result in the problem happening again next time, as no valuable lesson or conclusion will be extracted from these events.

Sorry if my opinion was different from others.

[redorbroder]

Hello!
Found out the other day SilverAzide was missing which led me here.

Code: Select all

Rainmeter-4.4-r3404-beta.exe
Opening "Issuer Statement" links to
https://secure.comodo.net/CPS
Browsers I tested (Firefox, Chrome, Waterfox) blocks the site? 

Is this normal?
All certificate looks identical to screenshots shown in here.

Thanks for any info and hopefully SilverAzide will be back soon!

Best regards,
redorbroder

[jsmorley]

Yeah, actually the whole thing is laughable, even though it had serious consequences:

- it's not about using Rainmeter at your work place - there's nothing wrong with it in my view (yeah, I know, I again disagree with the official stance and recommendations on this, but this is what having a mind of my own looks like) - it's the downright incompetent employee which downloaded Rainmeter from an untrusted source (basically anything other than this site) or allowed subsequent modifications of the files locally (if that was the case)
- the DeviantArt spammer thing is again probably due to incompetence, since these "decisions" are nowadays actually based on some flawed automated process that just counts whatever traffic and takes one route or another depending on an X>Y approach without any relevant additional parameters (just like the stupid automated responses to questions on Microsoft sites)

In the end, I see that incompetence of all kinds is actually rewarded (which is why these people get into those positions) in the "modern world" and when it comes to place the blame, all of what a clueless nuthead in some office will understand is "don't use this app here or there or ever" or "ban this account or that account cause too much 'suspicious' traffic". In other words, they probably won't bother to look deeper into the matter and solve the root problem, but adopt a superficial stance and make it easier for themselves. This will, of course, result in the problem happening again next time, as no valuable lesson or conclusion will be extracted from these events.

Sorry if my opinion was different from others.

My point has always been that it doesn't make sense to "deploy" Rainmeter in a business environment, as it simply can't be "controlled" by a central authority, someone responsible for security of the network and computers in a company. It is designed to be under the control of the ultimate end-user of the computer, and simply can't effectively be locked-down in any way. So given that, and given that a poorly designed or even purposefully evil skin that some less-sophisticated user can download and install from anywhere in the world can do great harm to both the individual computer and the overall company network, I would NEVER allow it to be used in any environment where security is a concern.

Even if you can be sure that every computer has a version of the Rainmeter executables that are directly from us, and are safe, and fully tested and verified, that is only half the battle. How do you stop an end-user from downloading a badly behaved skin from some Russian website and installing it? Any security administrator in a company that simply trusts that end-users are going to know what they are doing, and takes a "hands off" approach to protecting the company assets is a waste of a salary. Just go ahead and file for bankruptcy now, and save time.

It's going to depend a great deal on how computers are deployed and used in a given company, how many end-users you are trying to wrangle into reasonably safe behavior, and what your threshold for risk is, but make no mistake. Rainmeter is not particularly "secure" in a business environment.