For all those who are using NetSarang’s server management software here’s a quick security alert from Kaspersky Lab. Researchers from the said security firm have discovered a backdoor, dubbed ShadowPad in the software suite used by hundreds of banks, energy firms and pharmaceutical companies operating in the United States and around the globe.
Researchers from Kaspersky Lab say that ShadowPad was added to five server or network management products sold by NetSarang which has offices in South Korea and the US. And the malicious code was available on the software products sold in-between July 17 to August 4th of this year.
Kaspersky released a media update on this issue yesterday which says that some insiders from NetSarang managed to hack into the operations server of the software firm and managed to silently insert the back door. Since the process was done in a legitimate way, the malicious code secretly passed the test and production environment via legit cryptographically signed software updates.
Security experts from Kaspersky picked up the malicious code when a Hong Kong based financial client of them reported about some suspicious DNS request activity hitting their servers.
Experts then discovered in their research that ShadowPad, when activated, would then download more code from its command and control server and hide it in the virtual file system of the server running on NetSarang software suite.
So, to all those who went for a fresh installation or software update on July 18th and after, here’s an update from NetSarang. The software firm is offering a fix on its website to kill the nasty loitering software and has requested its clients to make a note of it.
The affected software packages are as follows-
• NetSarang Xmanager Enterprise 5.0 Build 1232
• NetSarang Xmanager 5.0 Build 1045
• NetSarang XShell 5.0 Build 1322
• NetSarang Xftp 5.0 Build 1218
• NetSarang Xlpd 5.0 Build 1220
Note 1- ShadowPad is a nasty malicious code which has the ability to collect data from the server and transmit it to remote servers. As this malware was developed by Chinese hackers, the backdoor software is found to be sending the data collection to servers located in Beijing.
Note 2- NetSarang is being used by companies such as Lockheed Martin which manufactures weapons, Russian energy supplier Gazprom and French Back Societe Generale.