Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/15/2017
04:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Server Management Software Discovered Harboring Backdoor

ShadowPad backdoor found embedded in a software product used by major organizations around the globe to manage their Linux, Windows, and Unix servers.

A Windows-based server management software product used by hundreds of organizations worldwide was found rigged with a malicious backdoor tucked inside its source code.

The so-called ShadowPad backdoor was discovered on Aug. 4 by Kaspersky Lab during an incident response investigation for a financial institution partner. The cyber espionage malware was embedded in one of the source code libraries of NetSarang Computer's July 18, 2017 software builds. Its Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220, were all compromised.

Kaspersky Lab alerted NetSarang, which issued an update the next day, Aug. 5, for its customers to download. The software is used by organizations in finance, education, telecommunications, manufacturing, energy, and transportation, to manage their Windows, Unix, and Linux servers.

Igor Soumenkov, principal security researcher for Kaspersky Lab, says the only known victim of the backdoor thus far is a Hong Kong-based organization, but it's possible there are others.

The malicious software module is the first stage of a multi-layered attack and was activated in several victims' servers in the APAC region. Kaspersky Lab says the attack has the earmarks of Chinese-speaking cyber espionage attack groups such as PlugX and WinNTi, but they can't confirm that these are the attackers behind ShadowPad.

Such supply chain-style attacks are still rare in cyber espionage, Soumenkov notes, and this is the second such case this year. The first was the NotPetya attack, where attackers compromised the update server of an accounting software product called MeDoc that's mostly used in Ukraine. The malware infected customers as they updated their accounting software.

"This is a pretty rare thing," he says, especially for a popular software program like NetSarang's. "We don't have any information" on how NetSarang was compromised, he says. "There's an investigation going on."

According to a blog post by Kaspersky Lab today, the attackers may have modified the source code or patched the software with their malicious code. "An investigation is in progress, but since code was signed and added to all software packages it could point to the fact that attackers either modified source codes or patched software on the build servers," they wrote.

NetSarang had not responded to requests for an interview at the time of this posting.

John Bambenek, threat systems manager at Fidelis Cybersecurity, says it does appear to be a possible Chinese operation given the supply-chain attack strategy and the victims' locations. "But I don't know if there's enough evidence to make a strong conclusion," and false flags are always possible.

"I always appreciate when the adversary raises the state of play," he says. "The problem with this technique is that you're [the attacker] going to get a foothold in a lot of places you may not necessarily care about."

Soumenkov says it's unclear just what specific information the ShadowPad attackers are after. But they are definitely strategically targeting systems used by users with the most access in corporate networks: "This server management software is run by system admins, usually privileged users in corporate networks," he says. "We think these machines are used to obtain access to more important parts of corporation" resources, he says.

Kaspersky Lab investigators in the financial institution's incident response investigation initially spotted a server involved in financial transaction processing generating suspicious DNS requests. "We took the software that was" making the DNS requests and analyzed it, Soumenkov says. "At the same moment, we found a very suspicious piece of code found in APTs [advanced persistent threats], viruses, and Trojans, and not in legitimate software. We started to dig more and more and found an APT-like platform inside."

Only the first stage of the APT platform was activated, he says, and it was sending the DNS queries to its command-and-controls server once every eight hours. It sent the name of the server and its domain name, and if the targeted machine was useful to them, the attackers could activate the full backdoor platform silently inside the server. The attackers encrypted their code to mask it as well.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19317
PUBLISHED: 2019-12-05
lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.
CVE-2019-19602
PUBLISHED: 2019-12-05
fpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux kernel before 5.4.2, when GCC 9 is used, allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact because of incorrect fpu_fpregs_owner_ctx caching, as demonstr...
CVE-2019-19601
PUBLISHED: 2019-12-05
OpenDetex 2.8.5 has a Buffer Overflow in TexOpen in detex.l because of an incorrect sprintf.
CVE-2019-19589
PUBLISHED: 2019-12-05
The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives.
CVE-2019-19597
PUBLISHED: 2019-12-05
D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header.