| ▲ | john_strinlai 6 hours ago |
| some comments purportedly (i did not verify) from one of the maintainers: >Dear All, I'm Sam and in I'm working with Franck on CPU-Z (I'm doing the validator). Franck is unfortunately OOO for a couple weeks. I'm just out of bed after worked on Memtest86+ for most the night, so I'm doing my best to check everything. As very first checks, the file on our server looks fine (https://www.virustotal.com/gui/file/6c8faba4768754c3364e7c40...) and the server doesn't seems compromised. I'm investigating further... If anyone can tell me the exact link to the page where the malware was downloaded, that would help a lot >Thank you. I found the biggest breach, restored the links and put everything in read-only until more investigation is done. Seems they waited Franck was off and I get to bad after working on Memtest86+ yesterday :-/ >The links have been compromised for a bit more than 6 hours between 09/04 and 10/04 GMT :-/ so, it appears that the cpuid website was compromised, with links leading to fake installers. |
|
| ▲ | cwizou 3 hours ago | parent | next [-] |
| For what it's worth - I used to write CPU reviews a while back - I can vouch for both Sam and Franck. Franck is the guy behind CPUID and Sam is a close friend of his, who was known for working at Canard PC on top of his work on Memtest : https://x86.fr/about-me/ |
| |
| ▲ | john_strinlai 3 hours ago | parent [-] | | that is pretty cool! when i say i didnt verify, i just mean that i ripped these quotes out of reddit, and did not check whether the reddit username that posted the comments is known to be an identity of Sam. | | |
| ▲ | cwizou 3 hours ago | parent [-] | | I didn't talk to him to verify, but at the very least it's his username (and the account is old enough at this point : https://www.reddit.com/user/Doc_TB/comments/), and his very Belgian english. I know both are close and Sam handles his website, so since the links are fixed, I have near zero doubt it's Sam here on reddit. |
|
|
|
| ▲ | pseudosavant 2 hours ago | parent | prev | next [-] |
| Glad that they figured out the issue and fixed the links. When I first read this, I assumed it was actually the sketchy ads that are run on www.cpuid.com. These are the real ads I just saw on a single download page for CPU-Z: "Continue to Download", "Install For windows 10, 11 32/64 bit Get Fast!", "Download", "Download now from PC APP STORE", or "Download Now For windows 10, 11 32/64 bit". Many of them appeared multiple times on the page. The real download links don't even say they are download links. I love the winget CLI in this situation. This is all you need: `winget install CPUID.CPU-Z`. |
| |
| ▲ | sysworld 19 minutes ago | parent [-] | | Personally I'm fine with the scammy ads. I feel most people who would use CPU-Z are pretty technical and should be able to tell the difference between an ad download button vs the real one. That, and you should already be using an ad blocker. |
|
|
| ▲ | cluckindan an hour ago | parent | prev | next [-] |
| Any idea how the compromise was achieved? |
| |
| ▲ | john_strinlai 28 minutes ago | parent [-] | | i have no clue. i yoinked these quotes from the reddit thread where sam replied. i am sure that we will see a write-up once the investigation concludes. it hasnt even been a day yet though, so i imagine sam is still in damage-control mode rather than root cause analysis mode. |
|
|
| ▲ | BoredPositron 5 hours ago | parent | prev [-] |
| It's the third time that I've read something about availability notifications on discord and other chats getting abused for timed attacks in the last few weeks. |
| |
| ▲ | magicalhippo 5 hours ago | parent | next [-] | | After my Wordpress site got hacked way back through an exploit in one of the WP files, I set up a cron job that compared the hash of the static files with expected hash, and would fire off an email if they differed. The script lived above the web root, so they'd have to escape that to tamper with it, and was generated by another script. Saved me a couple of times since, well worth the 15 minutes I spent on setting it up. | | |
| ▲ | michaelt 3 hours ago | parent | next [-] | | Back in the 1990s, there was a tool called ‘tripwire’ that checked key files against expected checksums. As I recall, they recommended putting the expected values on a floppy disk and setting the ‘write protect’ tab, so the checksums couldn’t be changed. | | |
| ▲ | FuriouslyAdrift 3 hours ago | parent | next [-] | | tripwire was the orginal file integrity anti-virus/anti-tampering software from the security group (which turned into CERIAS) at Purdue led by Dr. Eugene "Spaff" Spafford. https://docs.lib.purdue.edu/cstech/1084/ | |
| ▲ | Terr_ 3 hours ago | parent | prev [-] | | Back in the 90s I fantasized about a hard drive bay with a physical write-protect switch on the cover plate. | | |
| ▲ | kqgnkqgn 3 hours ago | parent | next [-] | | In the mid-2000's I briefly worked for a company that did this at a firmware level ("write-blocked firmware") for USB drive adapters (IDE / SATA / whatever IDE variant laptops were using / etc). This was apparently very valuable for police and investigative services, so they could collect evidence, while being able to show that they did not tamper with the original drive. | |
| ▲ | kjs3 2 hours ago | parent | prev [-] | | Tenable makes some "read only" adapters for hard disks (SATA, PATA, SCSI & FW at least). They're usually sold as part of a forensic analysis kit. I have a couple and they definitely work. I believe there are a couple of other vendors (Wiebetech?) make similar devices. The alternative (tho not practical in many cases) would be RO media like RW-DVD. |
|
| |
| ▲ | daneel_w 3 hours ago | parent | prev | next [-] | | Related: OpenBSD does this daily as part of running security(8) and its coverage can be expanded to include pretty much anything. https://man.openbsd.org/security | |
| ▲ | embedding-shape 4 hours ago | parent | prev [-] | | > Saved me a couple of times since Wait, how often does your Wordpress site get successfully hacked like that? | | |
| ▲ | Beretta_Vexee 3 hours ago | parent | next [-] | | It depends on how long you've been using WordPress, whether you use plugins, whether they're well-maintained or not, and so on. Back around 2010, there were security vulnerabilities in WordPress or its popular plugins almost every month. | |
| ▲ | magicalhippo 4 hours ago | parent | prev [-] | | Keep in mind the first time was about 20 years ago. One time the hosting provider got compromised, FTP server exploit IIRC, they ran a recursive search and replace from root directory of the server. |
|
| |
| ▲ | Aurornis an hour ago | parent | prev [-] | | Can you share what those other attacks were? It's helpful to study additional attacks to know what to look for. |
|
