Samedi, 23 Juin 2018
Dernières nouvelles
Principale » ShadowPad: Backdoor in enterprise server software exposed

ShadowPad: Backdoor in enterprise server software exposed

16 Août 2017

The exploit was effectively patched with the release of our latest Build on August 5th, so if you've already updated, then your clients are secure.

ShadowPad can be "silently" deployed within targets' computers and when activated, can allow hackers to steal data.

The researchers first came across the backdoor when approached by a partner in July this year to investigate a suspicious domain name server (DNS) which was requesting data from a system involved in financial transactions. The most worrying finding was the fact that the vendor did not mean for the software to make these requests.

Information scraped from these requests included basic system information, such as user names, domain names, and host names. The team found that when Shadowpad was activated it would download more code from a command-and-control server, and hide it in a virtual file system inside the registry. Further investigation showed that the source of these requests was server management software produced by a legitimate company and used by hundreds of customers in industries like financial services, education, telecoms, manufacturing, energy, and transportation. Following the installation of an infected software update, the malicious module would start sending DNS-queries to specific domains (its command and control server) at a frequency of once every eight hours.

Following the discovery, Kaspersky Lab researchers immediately contacted NetSarang.

Australian terrorist Khaled Sharrouf and sons believed killed in Syria
Sharrouf was the first Australian to have his citizenship stripped earlier this year under new counter-terrorism legislation. Sharrouf moved to Syria the next year to join the war being waged by Islamic State against dictator Bashar al-Assaad.

"ShadowPad is an example of how unsafe and wide-scale a successful supply-chain attack can be". NetSarang confirmed that its software was "unknowingly shipped with a backdoor". "Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component". Kaspersky said that the malware bears certain resemblance the PlugX and Winnti attack code used by Chinese hacking groups.

"The security of our customers and user base is our highest priority and ultimately, our responsibility", NetSarang said in a statement.

Although it is not yet known how the attackers gained access to NetSarang's systems to plant the malicious code, Kaspersky noted that it was signed with a legitimate certificate from the software developer. "NetSarang will continue to evaluate and improve our security not only to combat the efforts of cyberespionage groups around the world but also in order to regain the trust of its loyal user base".

Kaspersky also warned that Shadow Pad "could be lying dormant on many other systems worldwide, especially if the users have not installed the updated version of the affected software".

ShadowPad: Backdoor in enterprise server software exposed