HandBrake Security: A Postmortem Analysis

News and Updates
User avatar
Posts: 126
Joined: Fri Jul 25, 2008 10:40 pm

HandBrake Security: A Postmortem Analysis

Post by HandBrake »

On May 6, 2017, the HandBrake Team became aware of a security breach affecting one of the project's first-party download servers. Four days prior, an unknown and unauthorized party replaced the macOS download file HandBrake-1.0.7.dmg with a version containing malware now known as OSX/Proton.B.

The following is a brief timeline and analysis of the events that transpired. We hope our efforts in transparency will be of service to the many people using HandBrake and the greater software community.

What happened
Despite maintaining critical infrastructure with the most recent software and security updates, an attacker was able to use a software vulnerability to gain access to and manipulate data on one of the servers providing downloads of HandBrake 1.0.7 for Mac. The infected file was then made available for download over a four day period.

No alarms were triggered on the affected server during the break-in. Remote monitoring was available, but emergency notifications were not being sent. Thus, the HandBrake Team initially became aware of the breach via members of the HandBrake Community Forums, rather than an internal process.

Upon becoming aware of the breach, The HandBrake Team immediately took the affected server offline and took additional security precautions. Within 20 minutes of these actions, the team publicly reported the incident on the HandBrake Community Forums.

May 2
An attacker breached the download server at download.handbrake.fr, modifying the file HandBrake-1.0.7.dmg to include malware. The affected file's user and modification date were not changed and no alarms were triggered on the host.

14:45 UTC: The first instance of the affected file being served was logged by the server.

May 5
23:08 UTC: A HandBrake Community Forums member reported a hash mismatch and possible malware affecting the Mac download.

May 6
Early morning: Additional reports appeared on the forums.

06:10 UTC: A HandBrake Team member who did not have authorization necessary to make changes to server infrastructure noticed the reports and alerted the rest of the team via the #handbrake-dev IRC channel and other private means.

07:50 UTC: Another team member took the affected server offline permanently. This team member immediately began to investigate the breach and verified no other public assets had been affected. Authentication methods for all infrastructure were reset. Team members with access to the affected server generated new personal SSH keys and passwords.

08:10 UTC: The team posted an emergency alert on the HandBrake Community Forums advising of the attack. This post was updated with relevant information as it became known.

10:02 UTC: A member of Apple's security team contacted the HandBrake Team to discuss the malware. Both teams' responses were already underway. Apple's XProtect software was updated to detect and prevent infection of OSX/Proton.B later that day.

11:36 UTC: The SSL certificate for the affected server, which was already taken offline, was officially revoked.

Over the following week, the entire HandBrake server infrastructure was replaced as a precaution. The original servers were taken offline as services were migrated.

May 9
10:16 UTC: A team member became aware that the malware was attempting to contact an IP address hosted in the Netherlands and contacted the associated provider. Contrary to misreporting in tech media, this IP address was never associated with the HandBrake project. The host was subsequently taken down by the provider's abuse department.

About the malware
Proton is an advanced malware for macOS. The variant OSX/Proton.B was discovered as a result of this breach. At the time of the HandBrake security breach, no antivirus or other security software detected OSX/Proton.B.

A previous variant, OSX/Proton.A, was discovered by security researchers in February (read more at Malwarebytes and SixGill), unrelated to the HandBrake security breach, which occurred in May.

The attacker modified the Mac download of HandBrake to include OSX/Proton.B, effectively creating a Trojan Horse. Launching the maliciously modified HandBrake.app also launched OSX/Proton.B, which presented a fake system password authentication dialog designed to appear as if presented by the macOS operating system. After tricking the user into providing their password, it then used related privileges to steal other data on the host.

You can read more about OSX/Proton.B, including how to determine if you've been affected and what to do in response, at Cybereason, Intego, and Objective-See.

Proton malware sells on the internet for approximately 40,000–100,000 USD with payment made in BTC (Bitcoin). The author of Proton is not publicly known.

Who is affected
At the time of the breach, two server mirrors were used to distribute HandBrake downloads. Only one of these server mirrors was compromised. Anyone downloading HandBrake-1.0.7.dmg between May 2 and May 6 had a 50/50 chance of receiving the infected file.

According to our server logs, the infected file was downloaded 19,115 times. Of those downloads, 8,096 were rejected and not installed by the Sparkle update framework used by HandBrake's automatic update functionality, for one of two reasons: 1) the cryptographic signature used by the HandBrake 1.0.0 release series was invalid for the compromised download, or 2) an incompatibility between the Sparkle version used in older HandBrake releases and macOS Sierra prevented updating. The remaining 11,019 were predominantly manual downloads via a web browser and likely compromised any machines they were installed on.

If you manually downloaded HandBrake for Mac from the web between May 2 and May 6, you may be affected. If you are running macOS older than Sierra and HandBrake older than version 1.0.0, you may be affected if an automatic update was attempted.

You can read more about OSX/Proton.B, including how to determine if you've been affected and what to do in response, at Cybereason, Intego, and Objective-See.

What we learned
While the number of viable compromised downloads is small (approximately 0.22%) compared to the number of successful, valid downloads of the HandBrake 1.0.0 release series, even one malicious download is too much. We absolutely value the HandBrake community and the trust they've placed in us to provide malware-free software for over a decade. We believe we have dealt with this incident seriously and swiftly, and apologize for the inconveniences caused. We also believe that transparency is key to earning trust.

This was a sophisticated attack. Perhaps the most unfortunate observation of the attack is that proper security precautions do not always guarantee prevention of sophisticated attacks, especially in the case of an unknown software vulnerability. For this reason, it is vitally important that monitoring techniques be employed for early notification of any suspicious activity.

Remote monitoring of our binary downloads and other assets was insufficient at the time of the attack in that emergency notifications were not being sent. We take full responsibility for this insufficiency. After the initial triage following the breach, we immediately accelerated our rollout-in-progress of automated asset monitoring to improve our ability to detect such threats quickly. All important assets are now being verified automatically, and emergency notifications are properly being sent in the event an unauthorized change is detected.

In addition, we recently began cryptographically signing releases using GPG. Read more and get the HandBrake Team's GPG public key here.

We wish to thank the HandBrake Community Forum members who reported the issue on May 5 and 6. We are continually grateful for the impressive community around this software.

We also wish to thank all who have been in communication regarding the attack on the HandBrake Community Forums, GitHub, and other channels. Most of the discussion has been level-headed and objective, which certainly helps when the pressure is on. We greatly appreciate your patience and assistance.

Frequently asked questions

How can I determine whether I am affected by the malware?
If you still have the file HandBrake-1.0.7.dmg in your Downloads folder, you can check to see whether its checksum matches what is published by the HandBrake Team. See our Checksums page on GitHub for more information. Additionally, we recommend you validate the signature provided matches our GPG key. See our GPG page on GitHub for more information.

In the event of a checksum mismatch, please delete the file by dragging it to your Trash and emptying the Trash. If in doubt, delete your copy of HandBrake-1.0.7.dmg and download again.

You can read more about OSX/Proton.B, including how to determine if you've been affected and what to do in response, at Cybereason, Intego, and Objective-See.

Can I still be infected by this malware?
New infections of OSX/Proton.B are unlikely at this point.

At the time of the breach, no antivirus or other security software detected OSX/Proton.B. Apple's XProtect now contains the appropriate definitions necessary to prevent infection. Clean macOS systems that are up to date should not be able to run new instances of the malware.

It may still be possible to be infected by interacting with the known bad download file on a macOS system lacking the latest security updates. For this reason, we recommend you validate your download using a checksum and our GPG key. See the previous FAQ item for more information.

Was my personal data sent to HandBrake's servers?
No. We do not track our users and we do not transmit personal data.

One of the IP addresses associated with the malware briefly redirected to handbrake.fr, fooling some into thinking it was part of our infrastructure. On the contrary, we recognized this IP address as foreign and contacted the associated provider, who then took the malicious host offline.

Would an app signature created using an Apple Developer ID have prevented this attack?
Unfortunately, no.

While we are working toward signing our Mac application using an Apple Developer ID, this would not prevent an unsuspecting person from bypassing macOS Gatekeeper and running the malware-infected download. Thankfully, Apple's XProtect should do exactly this from now on.

Would providing downloads via another service have prevented this attack?
Some have speculated that serving downloads via a third party (insert name of big company here) would lower the potential for a security breach. In fact, many of the suggested service providers have been breached in previous months or years. Additionally, the 10 TB of outgoing data transfer required to serve more than one million downloads per month is cost prohibitive for some services and a violation of the terms of use for others.

We previously used SourceForge to deliver a large portion of our downloads, but our increasing concern over seemingly malicious advertising tactics used by then owner Dice Holdings caused us to remove our assets from the site.

History shows that proper security is not tied to any single vendor, and large companies are not immune from breaches. There is no silver bullet, so to speak. Good security requires a multi-layered approach and consideration of the entire attack surface. The most effective means for dealing with this specific type of incident would be to receive an emergency notification as soon as possible so that the attack could be shut down. This is why we have placed such emphasis on enhancing our assets monitoring and emergency notification infrastructure.

We are also in discussion with our good friends at VideoLAN regarding potential infrastructure collaboration.

HandBrake is related to Transmission which was similarly compromised in March, 2016. Is there a correlation?
HandBrake and Transmission are related in that both projects were originally developed by Eric Petit. While we maintain contact with Eric, he is not a HandBrake Team member and HandBrake does not share infrastructure with the Transmission project.

As a security precaution following the breach, we rebuilt our entire server infrastructure from scratch. Eric kindly assisted us in this effort.

What is HandBrake? Is it a DVD ripper?
No. While HandBrake does support DVD and Blu-ray sources, it does not rip commercial discs employing copy protection.

HandBrake converts various video formats to the more widely supported MP4 and MKV formats. HandBrake works with videos created by consumer and professional video cameras, mobile devices such as phones and tablets, game and computer screen recordings, and more. HandBrake takes videos you already have and makes new ones that work on your mobile phone, tablet, TV media player, game console, computer, or web browser—nearly anything that supports modern video formats.

See About HandBrake for more information.

What security measures does the HandBrake Team take to protect me?
HandBrake's source code is managed using Git. We use GitHub for repository hosting, issues tracking, and outside developer contributions. In recent years we retired self-hosted solutions such as Trac and Review Board to reduce the attack surface on our servers.

The servers powering the HandBrake website and its download mirrors use container isolation to separate services, and we keep them up to date with the latest software and security updates. We also limit access to these servers and services to a trusted core of individuals. We use industry standard secure authentication methods everywhere.

Downloads are served over HTTPS. The HandBrake application's built-in software update functionality on Mac and Windows uses a cryptographic signature to validate downloaded files, which prevented thousands of potential infections during this breach. We also make checksums available for manually validating the integrity of files you download from us.

After the initial triage following the breach, we immediately accelerated our rollout-in-progress of automated asset monitoring to improve our ability to detect such threats quickly. All important assets are now being verified automatically, and emergency notifications are properly being sent in the event an unauthorized change is detected.

In addition, we recently began cryptographically signing releases using GPG. Read more and get the HandBrake Team's GPG public key here.

I have more questions, how can I get answers?
Feel free to get in touch via the HandBrake Community Forums or IRC. For more information on our support channels, see Community Support.