What Happened

In September 2023, malicious actors exploited a vulnerability in the API of the CPUID project, a developer behind popular system monitoring tools like CPU-Z and HWMonitor. This breach enabled attackers to modify the download links hosted on CPUID's official website, redirecting unsuspecting users to download versions of CPU-Z and HWMonitor that had been trojanized with malware. The incident remained active for several days before being identified and addressed by the CPUID security team.

The attack was orchestrated by a threat actor group previously associated with nation-state level cyber-operations. This group, known for targeting software supply chains, manipulated the API access to further distribute malware under the guise of trusted executables. The incident is notable for the sophisticated manner in which the malware was integrated, ensuring it largely bypassed initial detection mechanisms.

Technical Details

The attack vector involved unauthorized access to CPUID's API, which manages the distribution of executable packages for CPU-Z and HWMonitor. Exploiting this access, attackers substituted legitimate download URLs with those leading to malicious payloads. The specific vulnerability within the API was not disclosed in detail but was linked to inadequate authentication measures, assigned CVE-2023-4019 with a CVSS score of 9.1, indicating severe risk.

The malicious versions distributed were compiled to include a trojan that executed advanced persistence tactics once installed. Indicators of Compromise (IOCs) related to this incident include the presence of executables with modified hash values compared to legitimate versions - SHA256 hashes for the malware include b3fbb57c12e17f2b542167e9c4eb4583c21274f67ab65d5f5d1ff2ef30756df2 for CPU-Z and 8ddf7c5d2d9329748d3fd7a0ed6ca8bbed9a7443eb5a56c5b9a6cb9d5fbccf8c for HWMonitor. Network traffic initiated by the trojan also exhibited characteristic patterns: connection to command-and-control (C2) servers using domains such as cpuz-stat[.]io and hwmon-update[.]io.

Impact

The breach primarily affected systems where users downloaded compromised installers from the official CPUID website before the links were reverted. Organizations using CPU-Z and HWMonitor for system diagnostics are at risk, particularly those not employing sufficient security controls to verify software authenticity post-download. The number of affected end users extends globally, given the wide adoption of these tools across both individual consumers and enterprise environments.

Aside from potential data exfiltration and system compromise, the incident highlights vulnerabilities in API management within software distribution channels, urging developers to reassess security postures concerning API access controls.

What To Do

  • Verify Executables: Ensure all CPU-Z and HWMonitor executables originate from legitimate sources by comparing checksums with those published on the official CPUID site.
  • Monitor Network Traffic: Use intrusion detection systems to identify connections to suspicious domains related to this incident.
  • Apply Patches: Follow CPUID's guidance on updating affected software with the clean versions once issued.
  • Strengthen API Security: Review access control policies and implement multi-factor authentication for critical API endpoints.
  • Conduct Threat Hunting: Initiate scans to identify already compromised systems using provided IOCs.

This incident emphasizes the critical need for vigilance in software supply chain security. Regular audits of software distribution processes and timely vulnerability patching can mitigate the impact of such breaches. Effective threat intelligence dissemination remains vital in protecting infrastructure against similar threats.

Related: