Window Shadow IMage Credit Richards
Security researchers at Kaspersky have discovered a backdoor in server management software from NetSarang. The backdoor, which Kaspersky has named ShadowPad, was detected in a build of the software that was released on 18 July. Since then NetSarang has removed the exploit and issued a new version of its software. The software is believed to be in use by companies operating in the financial services, education, telecoms, manufacturing, energy and transportation sectors.

Igor Soumenkov, security expert, Global Research and Analysis Team, Kaspersky Lab said: “ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component.

“Luckily, NetSarang was fast to react to our notification and released a clean software update, most likely preventing hundreds of data-stealing attacks against its clients; however, this case shows that large companies should rely on advanced solutions capable of monitoring network activity and detecting anomalies. This is where you can spot malicious activity even if the attackers were sophisticated enough to hide their malware inside legitimate software.”

NetSarang has issued its own press release on the issue. In it is listed the products affected and says that Kaspersky has detected a single instance of the exploit being used in Hong Kong. This contradicts an earlier statement that there was no evidence it had been used. The company is now trying to get all customers to update to the latest release. It is also going to have to deal with the reputational fallout from the issue.

What is ShadowPad?

Kaspersky says that it was first contacted by a customer who was seeing an increased number of odd DNS requests. On investigation those requests were coming from infected machines that were contacting a command and control (C&C) server. The requests contained enough details about the victims system to allow the attackers to decide if it was interesting. At that point they would use the software to download malicious code onto the infected machines.

In its investigation, Kaspersky says it has identified a number of techniques that it has seen before. These were used by the PlugX and Winnti groups who are Chinese-speaking cyberespionage groups. Kaspersky has been careful to say that it does not have enough information at present to definitely blame either group. However, given that the only known attack was in Hong Kong, many will be quick to point the finger of blame at China.

Commercial software vendors drawn into malware distribution

The speed of detection by the Kaspersky customer seems to have put a temporary stop to this attack. Whether this is the last of the attack is not known. However, this is the second major infection of commercial software that has gone on to infect customers.

In June, the software update service of Ukrainian accounting software company M.E.Doc was compromised. It was then used to distribute the NotPetya malware to customers. Within a day the infection had hit businesses outside of Ukraine causing a global problem.

The challenge for software companies, particularly smaller ones, is how to prevent this from happening. Many assume that their internal builds are protected. As shown with ShadowPad that is not the case. It is not yet clear if the compromise involved an insider at NetSarang. It is the most likely route as infecting a software build from outside the company would be difficult.

Security researchers will be watching to see if this is the start of a new trend. We now have two commercial software vendors used to distribute malware in the last few months. If this continues then it will have a significant impact on the software industry.

Over the last couple of years, software companies have been pushing users to allow automatic updates to software. They claim that this is the best way of ensuring that they are always up to date and that security updates are installed. If hackers can show that this process is broken by compromising more software companies it will cause real cyber security issues. Companies will take longer to test software leaving users open to more attack.

What does this mean?

At the moment we don’t have a full technical breakdown of ShadowPad from Kaspersky. When that arrives we will hopefully know more about where the C&C servers were located and the additional malware it installed. At that point it may also be possible to identify who was responsible for this attack.

There is now a need for software vendors to start looking carefully at their own cyber security. The majority do have good security processes but they are focused on attacks designed to steal code. Stolen code allows attackers to discover new exploits. What hasn’t been considered is the risk of attackers inserting their own code into software builds.

For those with long memories this is not the first time security at software vendors was found wanting.  In both 1991 and 2003 Novell shipped viruses on their installation CD’s. It appears as though history is again repeating itself.

To deal with this software vendors will need to add additional security measures to their build and distribution services. That, ultimately, will add to their costs which they will pass onto users. However, a failure to act is not an option if they want to avoid being used by hackers.


Please enter your comment!
Please enter your name here