Backdoor Found in Popular Server Management Software used by Hundreds of Companies

Cyber criminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect.

Recently, cyber crooks managed to infiltrate the update mechanism for a popular server management software package and altered it to include an advanced backdoor, which lasts for at least 17 days until researchers discovered it.

Dubbed ShadowPad, the secret backdoor gave attackers complete control over networks hidden behind legit cryptographically signed software sold by NetSarang—used by hundreds of banks, media firms, energy companies, and pharmaceutical firms, telecommunication providers, transportation and logistics and other industries—for 17 days starting last month.

Important Note — If you are using any of the affected product (listed below), we highly recommend you stop using it until you update them.

Hacker Injected Backdoor Through Software Update Mechanism

According to researchers at Kaspersky Labs, who discovered this well-hidden backdoor, someone managed to hijack the NetSarang’s update mechanism and silently insert the backdoor in the software update, so that the malicious code would silently deliver to all of its clients with NetSarang’s legitimate signed certificate.

The attackers of the Petya/NotPetya ransomware that infected computers around the world in June used the same tactic by compromising the update mechanism for Ukrainian financial software provider called MeDoc and swapped in a dodgy update including NotPetya.

“ShadowPad is an example of the dangers posed by a successful supply-chain attack,” Kaspersky Lab researchers said in their blog post published Tuesday. “Given the opportunities for covert data collection, attackers are likely to pursue this type of attack again and again with other widely used software components.”

The secret backdoor was located in the nssock2.dll library within NetSarang’s Xmanager and Xshell software suites that went live on the NetSarang website on July 18.

However, Kaspersky Labs researchers discovered the backdoor and privately reported it to the company on August 4, and NetSarang immediately took action by pulling down the compromised software suite from its website and replacing it with a previous clean version.

The affected NetSarang’s software packages are:

  • Xmanager Enterprise 5.0 Build 1232
  • Xmanager 5.0 Build 1045
  • Xshell 5.0 Build 1322
  • Xftp 5.0 Build 1218
  • Xlpd 5.0 Build 1220

Hackers Can Remotely Trigger Commands

The attackers hide the ShadowPad backdoor code in several layers of encrypted code that were decrypted only in intended cases.

Read more…

Source: The Hacker News