In early May the developers of HandBrake (a popular open-source video transcoder) informed an alert that a mirror download server hosting the app for Mac was hacked. The legitimate version of HandBrake for Mac was replaced with a version infected with a variant of OSX.PROTON, a trojan that allows hackers to remotely obtain root privileges in infected computers. HandBrake warned that anyone who has installed HandBrake for Mac needed to verify if their system was infected with the malware.
Here is the notification posted on the thread of HandBrake forum: "Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it". The post further offers detailed steps to remove the malware involved. Besides removing any installs of the Handbrake.app, users should also change their passwords that may reside in the OSX KeyChain or in any browser password stores.
Though the affected server has been shut down soon, and Apple has initiated the update of its XProtect definitions to defend against the new variant of Proton malware, some people still got caught by the hacking. On Wednesday, Panic developer and co-founder Steven Frank said in a blog post that much of the source code behind Panic's apps was stolen by someone who utilized the malware-infested version of HandBrake. He inadvertently downloaded the infected app on his work Mac, confirmed the admin privileges request, bypassed the Gatekeeper warning, and then, his Mac was "completely, entirely compromised in 3 seconds or less".
As a result, the git credentials had been stolen and used to clone several source code repositories. The attacker(s) demanded a large bitcoin ransom to prevent the release of the source code, and Panic decided to say No to the request after internal discussion.
Panic makes iOS and macOS apps including web editor Coda, FTP app Transmit, SSH client Prompt, and Firewatch, an adventure game. In Steven Frank’s words, "somebody, somewhere, now has quite a bit of source code to several of our apps". But he later addressed three points as following to assure the affected app users:
- There’s no indication any customer information was obtained by the attacker.
- Furthermore, there’s no indication Panic Sync data was accessed.
- Finally, our web server was not compromised.
According to the post, the theft of some source code may lead to the malware-infected builds of the company's apps available on the Internet. Therefore, Panic reminded users not to download its apps outside the official website or Apple’s App Store.
Panic has cooperated with Apple and the FBI: Apple is now "standing by to quickly shut down any stolen/malware-infested versions of our (Panic) apps", and the FBI is actively investigating. Panic also calls for users to report infected versions of apps, or any related information that could help with the investigation into this incident.
What’s your opinion about this security incident? Let us know in the comments.