Hola Browser Hit by Supply Chain Attack, Unwittingly Distributes Monero Miner

Hola Browser Distributes Monero Miner After Supply Chain Attack

A recent supply chain attack on the Hola Browser has led to the unintentional installation of a Monero miner on Windows users' systems during an update. Security researchers from Sophos discovered the malware while conducting routine certification checks, revealing a compromised software delivery pathway.

The incident involves the Chromium-based Hola Browser, developed by the Israeli company Hola, which is primarily known for its VPN service. During AppEsteem certification checks, experts from Sophos and other security firms found an undeclared file named "me.exe" in the browser's installation directory, which exhibited typical miner functionalities.

"The file was neither digitally signed nor timestamped, contained obfuscated code, and had functions to write to memory," stated the researchers from Sophos.

Upon further analysis, it was confirmed that the malware was indeed a Monero crypto miner. The malicious software added exceptions for Microsoft Defender, copied itself as "HolaMonitorService.exe" into the "Program Files" directory, and established an auto-starting Windows service named "hola_monitor_svc." The miner operates to mine Monero when the computer is idle, according to the researchers.

After being informed of the security breach, Hola confirmed the incident. The cybersecurity firm Sygnia also reported the compromise independently of Sophos. Hola downplayed the severity of the situation, claiming that only about 0.1% of users were affected. However, had the malware not been discovered by chance, the infected version would still have been available for download as an update.

There are currently no indications of data theft or access to personal information. Following the incident, Hola announced that it had rebuilt its entire distribution pipeline, implemented additional code-signing checks, and significantly tightened access controls and continuous monitoring of its infrastructure, as stated by CEO Avi Raz Cohen.

Background on Hola's Controversial History

Hola has faced criticism in the past for operating Luminati Networks, a service that allowed free users to act as proxy nodes for paying customers. Privacy advocates and security experts have previously raised concerns about the lack of transparency in data traffic processing. The exact method by which attackers compromised the software supply chain remains unclear, as does whether other platforms besides Windows were affected.

The Hola Browser includes VPN and proxy functionalities and is currently available for Windows 10 and 11, macOS from version 10.13, and Android and iOS. Additionally, various browser extensions for Chrome, Microsoft Edge, and Opera on Windows and current macOS versions are available. However, Hola's extensions have also been criticized in the past.

The Growing Risk of Supply Chain Attacks

This incident highlights the increasing danger of supply chain attacks, where criminals compromise the distribution channels of trusted software rather than targeting individual systems directly. Users unknowingly install malware through regular updates or official installation packages. Notably, a counterfeit website was not used in this attack.

Users of the Hola Browser on Windows are advised to ensure they have the latest version installed and to check their systems with an up-to-date security solution. The team at Bleeping Computer has also reached out for a response from the Israeli provider, but as of now, there has been no reply.

Key Takeaways

• Hola Browser users may have unknowingly installed a Monero miner due to a supply chain attack.
• Hola confirmed the incident, claiming only 0.1% of users were affected.
• Users are advised to update their browsers and check their systems for security.

Sources:

• Hola Browser verteilt heimlich Monero-Miner nach Supply-Chain-Angriff