June 30, 2016
Please note that following an internal investigation, we determined that EvLog 3.05 had been compromised and the update process modified to point to a modified version of EvLog. The compromised version of EvLog has been online between Apr 9, 2015 and Apr 26, 2015. The software has been updated, the installation process restored to the legitimate site and the signing certificates replaced.
If you have downloaded or update the software within the Apr 9 - Apr 26 2015, the likelihood of additional malware, tools, or attacker access within the environment is considered to be high. Altair recommends that affected party further investigate this incident to determine the full scope of any additional compromised systems, user accounts, and modified or accessed critical data. Altair also recommends that affected party not take any immediate remediation actions without first devising a response plan, as changes to the network or endpoints could cause investigative artifacts or evidence to be altered or deleted. In addition, as this malware or the attackers could have installed other families of malware or additional channels allowing access the affected party network and resources, premature remediation or action without proper investigation, scoping, and analysis may be ineffective to alleviate the current threat.
Additional security measures have been implemented in order to detect any future attacks against the software location and update files.
Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.
Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.