Application Security

8/15/2017
04:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Server Management Software Discovered Harboring Backdoor

ShadowPad backdoor found embedded in a software product used by major organizations around the globe to manage their Linux, Windows, and Unix servers.

A Windows-based server management software product used by hundreds of organizations worldwide was found rigged with a malicious backdoor tucked inside its source code.

The so-called ShadowPad backdoor was discovered on Aug. 4 by Kaspersky Lab during an incident response investigation for a financial institution partner. The cyber espionage malware was embedded in one of the source code libraries of NetSarang Computer's July 18, 2017 software builds. Its Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220, were all compromised.

Kaspersky Lab alerted NetSarang, which issued an update the next day, Aug. 5, for its customers to download. The software is used by organizations in finance, education, telecommunications, manufacturing, energy, and transportation, to manage their Windows, Unix, and Linux servers.

Igor Soumenkov, principal security researcher for Kaspersky Lab, says the only known victim of the backdoor thus far is a Hong Kong-based organization, but it's possible there are others.

The malicious software module is the first stage of a multi-layered attack and was activated in several victims' servers in the APAC region. Kaspersky Lab says the attack has the earmarks of Chinese-speaking cyber espionage attack groups such as PlugX and WinNTi, but they can't confirm that these are the attackers behind ShadowPad.

Such supply chain-style attacks are still rare in cyber espionage, Soumenkov notes, and this is the second such case this year. The first was the NotPetya attack, where attackers compromised the update server of an accounting software product called MeDoc that's mostly used in Ukraine. The malware infected customers as they updated their accounting software.

"This is a pretty rare thing," he says, especially for a popular software program like NetSarang's. "We don't have any information" on how NetSarang was compromised, he says. "There's an investigation going on."

According to a blog post by Kaspersky Lab today, the attackers may have modified the source code or patched the software with their malicious code. "An investigation is in progress, but since code was signed and added to all software packages it could point to the fact that attackers either modified source codes or patched software on the build servers," they wrote.

NetSarang had not responded to requests for an interview at the time of this posting.

John Bambenek, threat systems manager at Fidelis Cybersecurity, says it does appear to be a possible Chinese operation given the supply-chain attack strategy and the victims' locations. "But I don't know if there's enough evidence to make a strong conclusion," and false flags are always possible.

"I always appreciate when the adversary raises the state of play," he says. "The problem with this technique is that you're [the attacker] going to get a foothold in a lot of places you may not necessarily care about."

Soumenkov says it's unclear just what specific information the ShadowPad attackers are after. But they are definitely strategically targeting systems used by users with the most access in corporate networks: "This server management software is run by system admins, usually privileged users in corporate networks," he says. "We think these machines are used to obtain access to more important parts of corporation" resources, he says.

Kaspersky Lab investigators in the financial institution's incident response investigation initially spotted a server involved in financial transaction processing generating suspicious DNS requests. "We took the software that was" making the DNS requests and analyzed it, Soumenkov says. "At the same moment, we found a very suspicious piece of code found in APTs [advanced persistent threats], viruses, and Trojans, and not in legitimate software. We started to dig more and more and found an APT-like platform inside."

Only the first stage of the APT platform was activated, he says, and it was sending the DNS queries to its command-and-controls server once every eight hours. It sent the name of the server and its domain name, and if the targeted machine was useful to them, the attackers could activate the full backdoor platform silently inside the server. The attackers encrypted their code to mask it as well.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14633
PUBLISHED: 2018-09-25
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The at...
CVE-2018-14647
PUBLISHED: 2018-09-25
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming larg...
CVE-2018-10502
PUBLISHED: 2018-09-24
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version 4.2.18.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exist...
CVE-2018-11614
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Samsung Members Fixed in version 2.4.25. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists wit...
CVE-2018-14318
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S8 G950FXXU1AQL5. User interaction is required to exploit this vulnerability in that the target must have their cellular radios enabled. The specific flaw exists within the handling of ...