Kaspersky Lab researchers have discovered a powerful backdoor called “ShadowPad” planted in server management software used by hundreds of large companies around the world. It was discovered that when activated, the backdoor allowed attackers to download malicious modules and steal data. Kaspersky Lab has alerted NetSarang, the affected software vendor, and as a result, the company removed the malicious code and launched an update for its customers. ShadowPad is one of the largest known supply chain attacks, and if the threat had not been detected and patched quickly, it could have potentially targeted hundreds of organizations around the world, Kaspersky Lab said.
As reported by ArsTechnica, the affected products, including Xmanager Enterprise 5.0 from NetSarang, Xmanager 5.0, Xshell 5.0, Xftp 5.0 and Xlpd 5.0, were available between July 17 and August 4. The global research and analysis team at Kaspersky Lab (GReAT) was contacted by a financial institution regarding a suspicious request for DNS (domain name server) originating from a system involving financial transactions. After further investigation, it was discovered that the seller did not want the software to make these requests. Researchers later found that suspicious applications were the result of malicious module activity hidden within a recent version of legitimate software.
The malicious module, after being downloaded to servers, would essentially send DNS queries, consisting of basic information about the victim’s system (username, domain name, hostname) to specific domains every eight hours. If the attackers considered that the system was benefiting their personal interests, the command server would respond and later activate a complete backdoor platform, which would download and execute the malicious code. Kaspersky Lab hastened to inform NetSarang about this, after which; The company released an updated version of the software without the malicious code. “To combat the ever-changing landscape of cyber attacks, NetSarang has incorporated a number of methods and measures to prevent the product line from being compromised, infected or used by cyberspun groups. Unfortunately, the launch of Build from our full line of products July 18, 2017 was unknowingly shipped with a back door, which had the potential to be exploited by its creator, “the company said in a statement. “NetSarang is committed to the privacy of its users and has incorporated a more robust system to ensure that a compromised product is never delivered to its users,” they added.
According to the Kaspersky Lab investigation, the malicious module has been activated in Hong Kong so far. But it is believed that many other systems around the world have been affected by it. Users should install the updated version of the affected software in order to protect their systems from cyber attack. “ShadowPad is an example of how dangerous and large-scale a successful supply chain attack can be. Given the scope and data collection opportunities it offers to attackers, it is likely to be replicated over and over again With some other widely used software component, “said Igor Soumenkov, security expert for Global Research and Analysis Team at Kaspersky Lab.
