Widely used Daemon Tools disk app backdoored in monthlong supply-chain attack

The widely utilized Daemon Tools application, known for its disk image mounting capabilities, has fallen victim to a significant supply-chain attack that lasted for an entire month, according to researchers. Kaspersky, the cybersecurity firm investigating the incident, revealed that the attack commenced on April 8 and remained active at the time of their report. Malicious updates were delivered through the developer’s own servers, affecting installers signed with the official digital certificate and downloaded directly from the website. This compromise allowed the malware to execute Daemon Tools executables upon system boot. While Kaspersky did not specify, the technical details suggest that the affected versions are limited to those running on Windows, particularly versions 12.5.0.2421 through 12.5.0.2434. The malware embedded in the compromised versions is designed to gather sensitive information, including MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales. This data is then transmitted to an attacker-controlled server. The attack has reportedly impacted thousands of systems across over 100 countries, and among the infected machines, approximately 12 belong to sectors such as retail, science, government, and manufacturing, indicating a targeted approach. This incident adds to a troubling trend of supply-chain attacks, following previous breaches like the poisoning of the CCleaner utility in 2017, the SolarWinds software compromise in 2020, and the recent 3CX VoIP client breach in 2023. Such attacks are particularly challenging to defend against, as users unknowingly install malware through seemingly legitimate updates from official channels. The detection of this attack took weeks, similar to the timeline observed with the 3CX incident. Kaspersky's researchers emphasized the sophistication of the DAEMON Tools compromise, noting the challenges in uncovering the attack and the importance for organizations to scrutinize any machines running DAEMON Tools for unusual cybersecurity activities post-April 8.