Application Security

8/15/2017
04:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Server Management Software Discovered Harboring Backdoor

ShadowPad backdoor found embedded in a software product used by major organizations around the globe to manage their Linux, Windows, and Unix servers.

A Windows-based server management software product used by hundreds of organizations worldwide was found rigged with a malicious backdoor tucked inside its source code.

The so-called ShadowPad backdoor was discovered on Aug. 4 by Kaspersky Lab during an incident response investigation for a financial institution partner. The cyber espionage malware was embedded in one of the source code libraries of NetSarang Computer's July 18, 2017 software builds. Its Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220, were all compromised.

Kaspersky Lab alerted NetSarang, which issued an update the next day, Aug. 5, for its customers to download. The software is used by organizations in finance, education, telecommunications, manufacturing, energy, and transportation, to manage their Windows, Unix, and Linux servers.

Igor Soumenkov, principal security researcher for Kaspersky Lab, says the only known victim of the backdoor thus far is a Hong Kong-based organization, but it's possible there are others.

The malicious software module is the first stage of a multi-layered attack and was activated in several victims' servers in the APAC region. Kaspersky Lab says the attack has the earmarks of Chinese-speaking cyber espionage attack groups such as PlugX and WinNTi, but they can't confirm that these are the attackers behind ShadowPad.

Such supply chain-style attacks are still rare in cyber espionage, Soumenkov notes, and this is the second such case this year. The first was the NotPetya attack, where attackers compromised the update server of an accounting software product called MeDoc that's mostly used in Ukraine. The malware infected customers as they updated their accounting software.

"This is a pretty rare thing," he says, especially for a popular software program like NetSarang's. "We don't have any information" on how NetSarang was compromised, he says. "There's an investigation going on."

According to a blog post by Kaspersky Lab today, the attackers may have modified the source code or patched the software with their malicious code. "An investigation is in progress, but since code was signed and added to all software packages it could point to the fact that attackers either modified source codes or patched software on the build servers," they wrote.

NetSarang had not responded to requests for an interview at the time of this posting.

John Bambenek, threat systems manager at Fidelis Cybersecurity, says it does appear to be a possible Chinese operation given the supply-chain attack strategy and the victims' locations. "But I don't know if there's enough evidence to make a strong conclusion," and false flags are always possible.

"I always appreciate when the adversary raises the state of play," he says. "The problem with this technique is that you're [the attacker] going to get a foothold in a lot of places you may not necessarily care about."

Soumenkov says it's unclear just what specific information the ShadowPad attackers are after. But they are definitely strategically targeting systems used by users with the most access in corporate networks: "This server management software is run by system admins, usually privileged users in corporate networks," he says. "We think these machines are used to obtain access to more important parts of corporation" resources, he says.

Kaspersky Lab investigators in the financial institution's incident response investigation initially spotted a server involved in financial transaction processing generating suspicious DNS requests. "We took the software that was" making the DNS requests and analyzed it, Soumenkov says. "At the same moment, we found a very suspicious piece of code found in APTs [advanced persistent threats], viruses, and Trojans, and not in legitimate software. We started to dig more and more and found an APT-like platform inside."

Only the first stage of the APT platform was activated, he says, and it was sending the DNS queries to its command-and-controls server once every eight hours. It sent the name of the server and its domain name, and if the targeted machine was useful to them, the attackers could activate the full backdoor platform silently inside the server. The attackers encrypted their code to mask it as well.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.