WELCOME TO EHOST.COM.NP

Wednesday, August 16, 2017

Backdoor Found in Popular Server Management Software used by Hundreds of Companies

           Add Comments   

ads space

Cyber criminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect.

Recently, cyber crooks managed to infiltrate the update mechanism for a popular server management software package and altered it to include an advanced backdoor, which lasts for at least 17 days until researchers discovered it.

Dubbed ShadowPad, the secret backdoor gave attackers complete control over networks hidden behind legit cryptographically signed software sold by NetSarang—used by hundreds of banks, media firms, energy companies, and pharmaceutical firms, telecommunication providers, transportation and logistics and other industries—for 17 days starting last month.

Important Note — If you are using any of the affected product (listed below), we highly recommend you stop using it until you update them.

Hacker Injected Backdoor Through Software Update Mechanism

According to researchers at Kaspersky Labs, who discovered this well-hidden backdoor, someone managed to hijack the NetSarang’s update mechanism and silently insert the backdoor in the software update, so that the malicious code would silently deliver to all of its clients with NetSarang’s legitimate signed certificate.

The attackers of the Petya/NotPetya ransomware that infected computers around the world in June used the same tactic by compromising the update mechanism for Ukrainian financial software provider called MeDoc and swapped in a dodgy update including NotPetya.

“ShadowPad is an example of the dangers posed by a successful supply-chain attack,” Kaspersky Lab researchers said in their blog post published Tuesday. “Given the opportunities for covert data collection, attackers are likely to pursue this type of attack again and again with other widely used software components.”

The secret backdoor was located in the nssock2.dll library within NetSarang’s Xmanager and Xshell software suites that went live on the NetSarang website on July 18.

However, Kaspersky Labs researchers discovered the backdoor and privately reported it to the company on August 4, and NetSarang immediately took action by pulling down the compromised software suite from its website and replacing it with a previous clean version.

The affected NetSarang’s software packages are:

  • Xmanager Enterprise 5.0 Build 1232
  • Xmanager 5.0 Build 1045
  • Xshell 5.0 Build 1322
  • Xftp 5.0 Build 1218
  • Xlpd 5.0 Build 1220

Hackers Can Remotely Trigger Commands

The attackers hide the ShadowPad backdoor code in several layers of encrypted code that were decrypted only in intended cases.

“The tiered architecture prevents the actual business logics of the backdoor from being activated until a special packet is received from the first tier command and control (C&C) server (activation C&C server),” the researchers wrote.

Until then, the backdoor pings out every 8 hours to a command-and-control server with basic information on the compromised computers, including their domain names, network details, and usernames.

Here’s how the attackers activate the backdoor:

The activation of the backdoor was eventually triggered by a specially crafted DNS TXT record for a specific domain name. The domain name is generated based on the current month and year, and performs a DNS lookup on it.

Once triggered, the command and control DNS server in return sends back the decryption key which is downloaded by the software for the next stage of the code, effectively activating the backdoor.

Once activated, the ShadowPad backdoor provides a full backdoor for an attacker to download and run arbitrary code, create processes, and maintain a virtual file system (VFS) in the registry, which is encrypted and stored in locations unique to each victim.

Kaspersky researchers said they could confirm activated backdoor in one case, against an unnamed company located in Hong Kong.

How to Detect this Backdoor and Protect Your Company

The company has rolled out an update to kill the malicious software on August 4, and is investigating how the backdoor code got into its software.

Anyone who has not updated their NetSarang software since then is highly recommended to upgrade to the latest version of the NetSarang package immediately to protect against any threats.

Additionally, check if there were DNS requests from your organization to the following list of domains. If yes, the requests to those domains should be blocked.

  • ribotqtonut[.]com
  • nylalobghyhirgh[.]com
  • jkvmdmjyfcvkf[.]com
  • bafyvoruzgjitwr[.]com
  • xmponmzmxkxkh[.]com
  • tczafklirkl[.]com
  • notped[.]com
  • dnsgogle[.]com
  • operatingbox[.]com
  • paniesx[.]com
  • techniciantext[.]com

NetSarang installation kits from April do not include the malicious library.

Source link

ads space

 

ADS SPACE

0 comments:

Post a Comment

Categories

Article How-to All Posts WordPress Android Web design Blogger Plugins CSS Google JQuery Plugins Programming Reviews Web Hosting Blogger Blogging Blogging Tips Tricks Web Development Facebook Git Internet Make Money Online Social Plugins Tips Tips and Tricks Tools Tutorials Windows WordPress Plugins Blogging Tips and Tricks Freebies GSM Google Analytics HTML How To's JavaScript Plugin Development S.E.O SEO SMS SmartPhone Social Media Tips amp; Tricks Top-Most Updates Webmaster Tools Whatsapp Applications Apps Blogger Basics Documentary Downloads Entertainment Gadgets Games Gmail Google AdSense Guest Post IPhone Make Money Blogging SVN Security Softwares Web Hosting Tips and Tricks Wordpress Tips Wordpress Tips and Tricks hostgator iOS Advertising Networks Advertising Technology Affiliates Antivirus Audience amp; Traffic Biography Blog post Blog post Blogger Blogger Errors Blogger Tips Blogger Tools Blogger Widget Blogosphere Bogger Widgets CSS selectors CSS symbols CSS3 Computer amp; Internet Content Writing Coupon Codes Data amp; Analytics Deleted blog Design DoubleClick for Publishers Email and newsletter marketting Email marketing Excel Tips Excel Tips and Tricks Facebook Tricks Feed Feedburner Feedburner subscribers Font Fun GitHub Giveaways Gmail primary inbox Gmail tabs Google sign-in Guides HTML amp; CSS HTML5 Infographics Inspirational Instagram Internet Marketing Internet Tips amp; Tricks Job Listings Knowledge Life Hacks Lists Make-Money Monetization amp; Conversion Monetize Navigation Online Marketing Other PHP Tutorials Passport Publishing amp; Content Quotes RSS Sidebar Smartphones Social Networking Status Tech Tech Blog Technology Telegram Themes UI / UX User Psychology amp; Research VB.Net Web Tools Web browser Widget Windows Tips Windows-10 ad viewability admin notice blogging tools bluehost cherry-pick clone cors custom scrollbar customizer dismissible notices duplicate post feed title git branch git clone gpg gpg2 hybridauth iPad icon font notice responsive wordpress theme same origin policy scrollbar signed git commit smartsvn theme customizer vcs wordpress theme wordpress themes

Blog Archive

Contact Form

Name

Email *

Message *

Copyright © Sync Media