Kaspersky Lab experts have discovered a backdoor planted in a server management software product used by hundreds of large businesses around the world. When activated, the backdoor allows attackers to download further malicious modules or steal data. Kaspersky Lab has alerted NetSarang, the vendor of the affected software, and it has promptly removed the malicious code and released an update for customers.

 

ShadowPad is one of the largest known supply-chain attacks. Had it not been detected and patched so quickly, it could potentially have targeted hundreds of organizations worldwide.

 

In July, 2017 Kaspersky Lab’s Global Research and Analysis (GReAT) team was approached by one of its partners – a financial institution. The organization’s security specialists were worried about suspicious DNS (domain name server) requests originating on a system involved in the processing of financial transactions.

 

Further investigation showed that the source of these requests was server management software produced by a legitimate company and used by hundreds of customers in industries like financial services, education, telecoms, manufacturing, energy, and transportation. The most worrying finding was the fact that the vendor did not mean for the software to make these requests.

 

Further Kaspersky Lab analysis showed that the suspicious requests were actually the result of the activity of a malicious module hidden inside a recent version of the legitimate software.

 

Following the installation of an infected software update, the malicious module would start sending DNS-queries to specific domains (its command and control server) at a frequency of once every eight hours. The request would contain basic information about the victim system (user name, domain name, host name).

 

If the attackers considered the system to be “interesting”, the command server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer. After that, on command from the attackers, the backdoor platform would be able to download and execute further malicious code.

 

Following the discovery, Kaspersky Lab researchers immediately contacted NetSarang. The company reacted fast and released an updated version of the software without the malicious code.

 

So far, according to Kaspersky Lab research, the malicious module has been activated in Hong Kong, but it could be lying dormant on many other systems worldwide, especially if the users have not installed the updated version of the affected software.

 

While analyzing the tools techniques and procedures used by the attackers, Kaspersky Lab researchers came to the conclusion that some similarities exist that point to PlugX malware variants used by the Winnti APT, a known Chinese-speaking cyberespionage group. This information, however, is not enough to establish a precise connection to these actors.

 

“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component. Luckily NetSarang was fast to react to our notification and released a clean software update, most likely preventing hundreds of data stealing attacks against its clients. However, this case shows that large companies should rely on advanced solutions capable of monitoring network activity and detecting anomalies. This is where you can spot malicious activity even if the attackers were sophisticated enough to hide their malware inside legitimate software,” said Igor Soumenkov, security expert, Global Research and Analysis Team, Kaspersky Lab.

 

NetSarang Statement

 

“To combat the ever-changing landscape of cyberattacks NetSarang has incorporated various methods and measures to prevent our line of products from being compromised, infected, or utilized by cyberespionage groups. Regretfully, the Build release of our full line of products on July 18th, 2017 was unknowingly shipped with a backdoor which had the potential to be exploited by its creator.

 

The security of our customers and user base is our highest priority and ultimately, our responsibility. The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.

 

NetSarang is committed to its users’ privacy and has incorporated a more robust system to ensure that never again will a compromised product be delivered to its users. NetSarang will continue to evaluate and improve our security not only to combat the efforts of cyber espionage groups around the world but also in order to regain the trust of its loyal user base.”

 

All Kaspersky Lab products detect and protect against the ShadowPad malware as “Backdoor.Win32.ShadowPad.a”.

 

Kaspersky Lab advises users to update immediately to the latest version of the NetSarang software, from which the malicious module has been removed, and to check their systems for signs of DNS queries to unusual domains. A list of the command server domains used by the malicious module can be found in the Securelist blogpost, which also includes further technical information on the backdoor.


RECOMMENDED ARTICLE FOR TECHWORLD


 
A Shift from Quantity to Quality: 2018 Saw Cybercriminals Dropping Basic DDoS Operations
Techworld Date Posted: 12 February 2019 8:27 AM | 101 Views
The Kaspersky Lab DDoS Q4 Report covering statistics of the last quarter and the whole of 2018 highlights a 13% decline in the overall number of DDoS attacks when compared with the statistics from.... See More
 
A Shift from Quantity to Quality: 2018 Saw Cybercriminals Dropping Basic DDoS Operations
Techworld Date Posted: 8:27 AM | 101 Views
The Kaspersky Lab DDoS Q4 Report covering statistics of the last quarter and the whole of 2018 highlights a 13% decline in the overall number of DDoS attacks when compared with the statistics from...See More

 
ADATA XPG Announces Partnership with Flash Wolves eSports Organization
Techworld Date Posted: 7 September 2018 4:21 PM | 180 Views
ADATA® Technology, a leading manufacturer of high-performance DRAM modules and NAND Flash products, today announced that is has formed a partnership with one of Taiwan’s biggest names in eSports, the Flash Wolves. This partnership.... See More
 
ADATA XPG Announces Partnership with Flash Wolves eSports Organization
Techworld Date Posted: 4:21 PM | 180 Views
ADATA® Technology, a leading manufacturer of high-performance DRAM modules and NAND Flash products, today announced that is has formed a partnership with one of Taiwan’s biggest names in eSports, the Flash Wolves. This partnership...See More

 
GeForce® Gamers Are Game Ready for Final Fantasy XV! PUBG Now even Faster!
Techworld Date Posted: 1 March 2018 2:55 PM | 906 Views
NVIDIA® has released a new Game Ready Driver for Final Fantasy XV Windows Edition. In addition, it provides a performance boost of up to 7% in PlayerUnknown’s Battlegrounds (PUBG), along with being optimised for.... See More
 
GeForce® Gamers Are Game Ready for Final Fantasy XV! PUBG Now even Faster!
Techworld Date Posted: 2:55 PM | 906 Views
NVIDIA® has released a new Game Ready Driver for Final Fantasy XV Windows Edition. In addition, it provides a performance boost of up to 7% in PlayerUnknown’s Battlegrounds (PUBG), along with being optimised for...See More

 
D-Link Partners with PSITE to Elevate IT Education in PH
Techworld Date Posted: 24 March 2018 4:16 PM | 450 Views
Reflecting its support for quality IT education in the Philippines, leading global supplier of networking products D-Link International Pte. Ltd. has entered into a partnership with the Philippine Society of Information Technology Educators Foundation,.... See More
 
D-Link Partners with PSITE to Elevate IT Education in PH
Techworld Date Posted: 4:16 PM | 450 Views
Reflecting its support for quality IT education in the Philippines, leading global supplier of networking products D-Link International Pte. Ltd. has entered into a partnership with the Philippine Society of Information Technology Educators Foundation,...See More


 
WORLDBEX 2019 Gears Up for “A World Built Bolder”
Techworld Date Posted: 11 February 2019 2:13 PM | 130 Views
The 24th Philippine World Building and Construction Exposition or simply, WORLDBEX, has begun its journey in bringing “A World Built Bolder” as it successfully held its exhibitor’s orientation last January 28 at the Hall.... See More
 
WORLDBEX 2019 Gears Up for “A World Built Bolder”
Techworld Date Posted: 2:13 PM | 130 Views
The 24th Philippine World Building and Construction Exposition or simply, WORLDBEX, has begun its journey in bringing “A World Built Bolder” as it successfully held its exhibitor’s orientation last January 28 at the Hall...See More

 
Realme Philippines to Reveal 3 Big Surprises at Realme 3 Launch
Techworld Date Posted: 14 March 2019 11:15 AM | 80 Views
Realme Philippines is all set to launch its newest offering in the Philippine market, the realme 3, on March 19. Delivering the best value in its price segments, realme Philippines further intensifies the game.... See More
 
Realme Philippines to Reveal 3 Big Surprises at Realme 3 Launch
Techworld Date Posted: 11:15 AM | 80 Views
Realme Philippines is all set to launch its newest offering in the Philippine market, the realme 3, on March 19. Delivering the best value in its price segments, realme Philippines further intensifies the game...See More

 
Businesses Most at Risk from New Breed of Ransomware
Techworld Date Posted: 20 September 2017 9:35 AM | 362 Views
While ransomware has long been one of the main cyber threats to businesses, the past number of months have seen organizations more exposed than ever.Symantec's latest research paper on ransomwarehas found that businesses were.... See More
 
Businesses Most at Risk from New Breed of Ransomware
Techworld Date Posted: 9:35 AM | 362 Views
While ransomware has long been one of the main cyber threats to businesses, the past number of months have seen organizations more exposed than ever.Symantec's latest research paper on ransomwarehas found that businesses were...See More

 
SAP Philippines Officially Recognized as 2019 Top Employer
Techworld Date Posted: 7 January 2019 2:47 PM | 171 Views
SAP Philippines (NYSE: SAP) has been recognized as the 2019 Top Employer, for empowering best people practices and having exceptional employee working conditions.. See More
 
SAP Philippines Officially Recognized as 2019 Top Employer
Techworld Date Posted: 2:47 PM | 171 Views
SAP Philippines (NYSE: SAP) has been recognized as the 2019 Top Employer, for empowering best people practices and having exceptional employee working conditions.See More

 
Heat Up Summer with the Latest Nokia Smartphone Promos
Techworld Date Posted: 5 April 2018 5:01 PM | 612 Views
Charge up the vacation season with the hottest and freshest deals this month for Nokia smartphones on Android from HMD Global, the home of Nokia phones. From April 1 to 30, enjoy P500 off.... See More
 
Heat Up Summer with the Latest Nokia Smartphone Promos
Techworld Date Posted: 5:01 PM | 612 Views
Charge up the vacation season with the hottest and freshest deals this month for Nokia smartphones on Android from HMD Global, the home of Nokia phones. From April 1 to 30, enjoy P500 off...See More


Power by

Download Free AZ | Free Wordpress Themes