A Windows-based server management software product used by hundreds of organizations worldwide was found rigged with a malicious backdoor tucked inside its source code.
The so-called ShadowPad backdoor was discovered on Aug. 4 by Kaspersky Lab during an incident response investigation for a financial institution partner. The cyber espionage malware was embedded in one of the source code libraries of NetSarang Computer's July 18, 2017 software builds. Its Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220, were all compromised.
Kaspersky Lab alerted NetSarang, which issued an update the next day, Aug. 5, for its customers to download. The software is used by organizations in finance, education, telecommunications, manufacturing, energy, and transportation, to manage their Windows, Unix, and Linux servers.
Igor Soumenkov, principal security researcher for Kaspersky Lab, says the only known victim of the backdoor thus far is a Hong Kong-based organization, but it's possible there are others.
The malicious software module is the first stage of a multi-layered attack and was activated in several victims' servers in the APAC region. Kaspersky Lab says the attack has the earmarks of Chinese-speaking cyber espionage attack groups such as PlugX and WinNTi, but they can't confirm that these are the attackers behind ShadowPad.
Such supply chain-style attacks are still rare in cyber espionage, Soumenkov notes, and this is the second such case this year. The first was the NotPetya attack, where attackers compromised the update server of an accounting software product called MeDoc that's mostly used in Ukraine. The malware infected customers as they updated their accounting software.
"This is a pretty rare thing," he says, especially for a popular software program like NetSarang's. "We don't have any information" on how NetSarang was compromised, he says. "There's an investigation going on."
According to a blog post by Kaspersky Lab today, the attackers may have modified the source code or patched the software with their malicious code. "An investigation is in progress, but since code was signed and added to all software packages it could point to the fact that attackers either modified source codes or patched software on the build servers," they wrote.
NetSarang had not responded to requests for an interview at the time of this posting.
John Bambenek, threat systems manager at Fidelis Cybersecurity, says it does appear to be a possible Chinese operation given the supply-chain attack strategy and the victims' locations. "But I don't know if there's enough evidence to make a strong conclusion," and false flags are always possible.
"I always appreciate when the adversary raises the state of play," he says. "The problem with this technique is that you're [the attacker] going to get a foothold in a lot of places you may not necessarily care about."
Soumenkov says it's unclear just what specific information the ShadowPad attackers are after. But they are definitely strategically targeting systems used by users with the most access in corporate networks: "This server management software is run by system admins, usually privileged users in corporate networks," he says. "We think these machines are used to obtain access to more important parts of corporation" resources, he says.
Kaspersky Lab investigators in the financial institution's incident response investigation initially spotted a server involved in financial transaction processing generating suspicious DNS requests. "We took the software that was" making the DNS requests and analyzed it, Soumenkov says. "At the same moment, we found a very suspicious piece of code found in APTs [advanced persistent threats], viruses, and Trojans, and not in legitimate software. We started to dig more and more and found an APT-like platform inside."
Only the first stage of the APT platform was activated, he says, and it was sending the DNS queries to its command-and-controls server once every eight hours. It sent the name of the server and its domain name, and if the targeted machine was useful to them, the attackers could activate the full backdoor platform silently inside the server. The attackers encrypted their code to mask it as well.