Microsoft warned that a PDF editor was carrying a mining program after being hacked
The Microsoft team released a report saying that the company detected an attack on the software supply chain and sent the user a package carrying the mining program through the vulnerability.
The problem occurs because, during the installation process of a PDF editor, the software installs some of the necessary font rendering documents.
The attacker tampered with the target of the font download through the vulnerability and switched to the mining program, which was also implanted into the system as the PDF editor completed the installation and mining procedures.
Attacks against the software supply chain:
The attacker initially set up the server carrying the mining program and added the font file, and then exploited the PDF editor’s vulnerability to affect its font download parameters.
The user downloads the PDF editor typically and carries a digital signature to prove that it has not been tampered with, but downloads the font library to point to the hacker’s server during the installation process.
The end user completed the standard installation, but the actual mining program has entered the user’s computer through the PDF editor. This kind of attack has made Microsoft confused.
Microsoft has not figured out the specific attack methods:
In this attack, the PDF editor’s installation package is still a regular package with a signature. Although the server has been tampered with, it does not look like a man-in-the-middle attack.
It’s not a middleman attack, and it’s not like DNS hijacking. So hackers are still fascinated by how to tamper with font downloads. Microsoft hasn’t figured out the specific reasons.
It is currently known that domain names were registered with Ukrainian domain name registrars three years ago, and the corresponding domain names were not used until the first three months of this year.
Who is this PDF editor?
Unfortunately, Microsoft did not specify the name of the PDF editor. Microsoft only said that the software is an alternative to Adobe Acrobat Reader.
At the same time, the hacker’s falsified font library download points to the Asian series of fonts, so it may refer to a very well-known PDF editor.
Source, Image: Microsoft
