Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/15/2017
04:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Server Management Software Discovered Harboring Backdoor

ShadowPad backdoor found embedded in a software product used by major organizations around the globe to manage their Linux, Windows, and Unix servers.

A Windows-based server management software product used by hundreds of organizations worldwide was found rigged with a malicious backdoor tucked inside its source code.

The so-called ShadowPad backdoor was discovered on Aug. 4 by Kaspersky Lab during an incident response investigation for a financial institution partner. The cyber espionage malware was embedded in one of the source code libraries of NetSarang Computer's July 18, 2017 software builds. Its Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220, were all compromised.

Kaspersky Lab alerted NetSarang, which issued an update the next day, Aug. 5, for its customers to download. The software is used by organizations in finance, education, telecommunications, manufacturing, energy, and transportation, to manage their Windows, Unix, and Linux servers.

Igor Soumenkov, principal security researcher for Kaspersky Lab, says the only known victim of the backdoor thus far is a Hong Kong-based organization, but it's possible there are others.

The malicious software module is the first stage of a multi-layered attack and was activated in several victims' servers in the APAC region. Kaspersky Lab says the attack has the earmarks of Chinese-speaking cyber espionage attack groups such as PlugX and WinNTi, but they can't confirm that these are the attackers behind ShadowPad.

Such supply chain-style attacks are still rare in cyber espionage, Soumenkov notes, and this is the second such case this year. The first was the NotPetya attack, where attackers compromised the update server of an accounting software product called MeDoc that's mostly used in Ukraine. The malware infected customers as they updated their accounting software.

"This is a pretty rare thing," he says, especially for a popular software program like NetSarang's. "We don't have any information" on how NetSarang was compromised, he says. "There's an investigation going on."

According to a blog post by Kaspersky Lab today, the attackers may have modified the source code or patched the software with their malicious code. "An investigation is in progress, but since code was signed and added to all software packages it could point to the fact that attackers either modified source codes or patched software on the build servers," they wrote.

NetSarang had not responded to requests for an interview at the time of this posting.

John Bambenek, threat systems manager at Fidelis Cybersecurity, says it does appear to be a possible Chinese operation given the supply-chain attack strategy and the victims' locations. "But I don't know if there's enough evidence to make a strong conclusion," and false flags are always possible.

"I always appreciate when the adversary raises the state of play," he says. "The problem with this technique is that you're [the attacker] going to get a foothold in a lot of places you may not necessarily care about."

Soumenkov says it's unclear just what specific information the ShadowPad attackers are after. But they are definitely strategically targeting systems used by users with the most access in corporate networks: "This server management software is run by system admins, usually privileged users in corporate networks," he says. "We think these machines are used to obtain access to more important parts of corporation" resources, he says.

Kaspersky Lab investigators in the financial institution's incident response investigation initially spotted a server involved in financial transaction processing generating suspicious DNS requests. "We took the software that was" making the DNS requests and analyzed it, Soumenkov says. "At the same moment, we found a very suspicious piece of code found in APTs [advanced persistent threats], viruses, and Trojans, and not in legitimate software. We started to dig more and more and found an APT-like platform inside."

Only the first stage of the APT platform was activated, he says, and it was sending the DNS queries to its command-and-controls server once every eight hours. It sent the name of the server and its domain name, and if the targeted machine was useful to them, the attackers could activate the full backdoor platform silently inside the server. The attackers encrypted their code to mask it as well.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5680
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
CVE-2020-5638
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.
CVE-2020-5676
PUBLISHED: 2020-12-03
GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vectors.
CVE-2020-5677
PUBLISHED: 2020-12-03
Reflected cross-site scripting vulnerability in GROWI v4.0.0 and earlier allows remote attackers to inject arbitrary script via unspecified vectors.
CVE-2020-5678
PUBLISHED: 2020-12-03
Stored cross-site scripting vulnerability in GROWI v3.8.1 and earlier allows remote attackers to inject arbitrary script via unspecified vectors.