Content, Breach

ShadowPad Backdoor Targets Supply Chain Software

Supply chain cybersecurity attackers planted a backdoor in popular server management software used by hundreds of companies, only to be foiled at least for the time being, by researchers.

The server management platform is NetSarang's. The security researcher is Kaspersky. And the backdoor is dubbed ShadowPad, said by Kaspersky to be one of the largest known supply-chain attacks. The security firm revealed the flaw on Tuesday after informing NetSarang of its discovery on August 4th.

NetSarang subsequently removed the added malicious code, which affected five builds of its software released on July 18, and supplied an update for its customers.

This battlefield, in a word, is alarming. Had the threat not been detected and patched, it could have potentially targeted hundreds of organizations worldwide, the Kaspersky said. NetSarang’s platform is used by organizations in banking, education, energy, manufacturing, telecommunications and transport.

Once activated, the backdoor enables attackers to download further malicious modules or steal data. The hackers apparently hid the security exploit in several layers of encrypted code, Kaspersky said in a SecureList blog.

“The tiered architecture prevents the actual business logics of the backdoor from being activated until a special packet is received from the first tier command and control server,” the company’s researchers wrote. In the meantime, every eight hours the malicious code culled basic system information, domain and user names.

Kaspersky first became aware of the backdoor when it was asked by one of its partners, a financial services company, to investigate strange domain name server requests originating on a system processing financial transactions. Further investigation showed that the source of these requests was legitimate server management software from NetSarang. The most worrisome finding was that NetSarang did not mean for the software to make these requests but instead it resulted from code hidden in new builds of its software.

"Regretfully, the Build release of our full line of products on July 18, 2017, was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator," NetSarang said.

ShadowPad shows how dangerous and widespread a successful supply-chain attack can be, said Igor Soumenkov, a Kaspersky security expert in its Global Research and Analysis Team.

“Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component,” he said.

Kaspersky warned that even though ShadowPad has been activated only once in Hong Kong, it could be lying in wait on many other systems worldwide. While the security provider didn’t assign any responsibility for the malware, it did note that the techniques used by the attackers are similar to Chinese cyber spys PlugX and Winnti.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.