A hidden backdoor in the servers of a South Korean software maker was discovered and exploited by Chinese hackers, putting at risk the hundreds of large companies and organizations that use the software.
The hackers reportedly compromised the software produced by NetSarang and created a backdoor that would allow them access to the computer systems of financial services, education, telecommunications, manufacturing, energy and transportation companies.
With access to the NetSarang server, the hackers were able to publish applications that included the backdoor and were signed with an official NetSarang certificate, making the compromised software appear legitimate.
Those apps—complete with the exploit, dubbed ShadowPad, inserted by the attackers—were uploaded to the NetSarang download servers, replacing the official apps and putting anyone who downloaded the malicious update from the company’s servers at risk.
Once companies downloaded and installed the compromised applications, the attackers used the backdoor added to the source code to upload and execute malicious files on the victim’s machines, further compromising the network.
According to research from Kaspersky, a cybersecurity firm based in Russia, the app would initially share basic information about a victim’s computer, including user name, domain name, and hostname. If the attackers deemed the infected system interesting enough, they would carry out a full-fledged attack on the machine.
“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be,” Igor Soumenkov, a security expert on the Global Research and Analysis Team at Kaspersky Lab said. “Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component.”
While the hackers were able to carry out the attack, they were eventually discovered when a financial institution using the hacked NetSarang software noticed a strange pattern of domain name server (DNS) requests.
The company alerted Kaspersky, which got to work looking into the suspicious activity. Upon looking into the problem, the security researchers at Kaspersky discovered the DNS requests was the software communicating with the command and control server run by the hackers.
Kaspersky alerted NetSarang of the issue, and the Korean software maker quickly removed the infected apps from its servers and replaced them with legitimate software that does not contain the backdoor. Companies can download the update and overwrite the compromised version of the app.
NetSarang responded to the issue quickly once informed, and Kaspersky has only recorded one occurrence of the backdoor being exploited but warned that the attackers may be lying dormant and could appear again carry out an attack on a company that has yet to install a legitimate version of the software.
The at risk applications include:
- Xmanager Enterprise 5 Build 1232
- Xmanager 5 Build 1045
- Xshell 5 Build 1322
- Xftp 5 Build 1218
- Xlpd 5 Build 1220
“This case shows that large companies should rely on advanced solutions capable of monitoring network activity and detecting anomalies. This is where you can spot malicious activity even if the attackers were sophisticated enough to hide their malware inside legitimate software,” Soumenkov said.