SOUTH KOREAN SOFTWARE MAKER NetSarang has admitted that recent builds of all its software products were shipped with backdoors believed to have been slipped-in by hackers from mainland China.
The malware was picked up in an investigation by Kaspersky after a client reported unusual network activity. Kaspersky claims that the tools, techniques and procedures point to PlugX malware variants used by the Chinese Winnti APT cyber-espionage group.
In a statement issued this week the company, which makes connectivity software widely used by banks and infrastructure companies, admitted fessed up to the flaws.
"On Friday 4 August 2017, our engineers, in cooperation with Kaspersky Labs, discovered a security exploit in our software specific to... Builds which were released on 18 July 2017. As of 15 August 2017, Kaspersky Labs has discovered a single instance of this exploit being utilized in Hong Kong."
The security flaws affect the following products:
- Xmanager Enterprise 5.0, build 1232;
- Xmanager 5.0, build 1045;
- Xshell 5.0, build 1322;
- Xftp 5.0, build 1218;
- Xlpd 5.0, build 1220.
The company was keen to assert that only those builds were affected. "If you are using any of these
"If you are using any of these above-listed Builds, we highly recommend you cease using the software until you update your clients. The exploit was effectively patched with the release of our latest Build on August 5th, so if you've already updated, then your clients are secure," it said.
NetSarang added that anti-virus software makers had been informed of the issue and that up-to-date anti-virus software ought to identify any of the affected DLL files. Kaspersky detects the malware, dubbed ShadowPad, as "Backdoor.Win32.ShadowPad.a".
The ShadowPad backdoor, when activated, would enable the hackers to download further malicious modules or to exfiltrate data, Kaspersky warned.
"In July 2017, Kaspersky Lab's Global Research and Analysis Team (GReAT) was approached by one of its partners, a financial institution. The organisation's security specialists were worried about suspicious DNS (domain name server) requests originating on a system involved in the processing of financial transactions," claimed Kaspersky in an advisory.
"Further investigation showed that the source of these requests was server management software produced by a legitimate company and used by hundreds of customers in industries like financial services, education, telecoms, manufacturing, energy and transportation. The most worrying finding was the fact that the vendor did not mean for the software to make these requests.
"Further Kaspersky Lab analysis showed that the suspicious requests were actually the result of the activity of a malicious module hidden inside a recent version of the legitimate software.
"Following the installation of an infected software update, the malicious module would start sending DNS-queries to specific domains (its command and control server) at a frequency of once every eight hours. The request would contain basic information about the victim's system (user name, domain name, host name).
"If the attackers considered the system to be ‘interesting', the command server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer. After that, on command from the attackers, the backdoor platform would be able to download and execute further malicious code."
Kaspersky claims that NetSarang reacted fast to rectify the security problem as soon as it was notified.
The attack is the latest in what is known as a supply chain attack, in which a critical element in an organisation's supply chain - in this case a software company - is compromised in order to hit other organisations that it does business with. µ
Put a Ring-Con on it
We know. We're as surprised as you are
It's available across all major UK networks