Kaspersky Lab Detects A Serious Vulnerability

Aug

16

2017

In One Of The Most Widely Used Server Management Programs Around The World

Kaspersky Lab experts have discovered a security vulnerability in the form of backdoor attacks planted in server management software used by hundreds of large companies around the world.

The Russian company explained that after the activation of the backdoor loophole, quickly allow the attackers to download more malware or data theft. Kaspersky Lab notified the affected software vendor NetSarang that it immediately removed the malicious code and released an updated version of the client.

The company’s leader in information security said that ShadowPad is one of the biggest known attacks that infiltrate through supply chain networks. If it is not quickly discovered and corrected, it is likely to target hundreds of companies worldwide.

Kaspersky Lab said that last July, Kaspersky Lab’s global research and analysis team was contacted by one of its partners, a financial institution. The security experts at the institution concerned expressed concern about suspicious requests from the domain name server. Other investigations showed that the source of these requests was due to the server management program produced by a regular company and used by hundreds of customers in many sectors, including the financial services, education, communications, manufacturing, . One of the most worrisome results, according to the company, is that the vendor did not intend to sell the software behind any of these applications.

Further analysis by Kaspersky Lab revealed that suspicious applications were in fact the result of malicious malware activity within an updated version of a regular program. Once the updated version of the infected software is installed, malicious software starts sending domain name server requests to specific domains (its server and control server) frequently, once every eight hours.

The application usually contains basic information about the victim’s system (username, domain name, hostname). If the attackers consider the system to be interesting, the control server will respond and activate the rear-end platform, which is self-contained and silently embedded inside the victim’s computer. Then, after receiving orders from the attackers, the back door platform becomes able to load and execute more malicious code.

Following this discovery, Kaspersky Lab researchers immediately contacted NetSarang. The company quickly responded to Kaspersky Lab’s request and launched an updated version of the program free of malicious code.

According to Kaspersky Lab’s research, this malicious software model has been activated so far in Hong Kong and there is a possibility that it may exist but is idle on many other systems around the world, especially if users do not install the updated version of the affected software.

In analyzing the techniques and procedures used by the attackers, Kaspersky Lab researchers concluded that there are similarities to the PlugX malware variants used by Winnti APT, a well-known Chinese-language group. However, this information is not sufficient to establish a close relationship with these actors.

“ShadowPad is an example of how dangerous it is to successfully launch large-scale attacks through infiltration through supply chain networks and the consequences they can have,” said Igor Suminkov, security expert at Kaspersky Lab’s global research and analysis team. Given the ease of access and data collection for attackers, ShadowPad software is likely to be reproduced or cloned again and again with some of the other widely used software components. ”

“Fortunately, we saw NetSarang respond quickly to our feedback as the company immediately launched an up-to-date, clean version of the software, potentially preventing hundreds of targeted attacks from stealing its customers’ data. However, this situation shows that large companies need to have advanced security solutions capable of monitoring network activity and detecting suspicious and suspicious cases. “This is the only way we can detect malicious attacks even if the attackers are so sophisticated that they hide inside regular programs.”

Kaspersky Lab recommends that users immediately install the updated version of NetSarang, which has removed the newly discovered malware, and make sure that their systems are free from any indications of suspicious requests from the DNS server to unfamiliar domains. A list of the domain controller servers used by this malicious code is available in the Securelist code, which also includes more technical information about the backdoor gap.

Viewing:-116

In: Technology & Gadgets Asked By: [17391 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »