Malaysia’s Computer Emergency Response Team (MyCERT) has commented on what has been called one of the biggest known supply chain attacks which affected multiple software products in the NetSarang range.
Several recent versions of NetSarang Server Management software were compromised by the ‘ShadowPad’ exploit. The exploit is capable of allowing attackers to download additional malware or steal confidential business data.
The exploit seems to have hit victims with IP addressed originating in Malaysia, according to MyCERT. A statement from NetSarang says that the exploit has been spotted once in the wild in Hong Kong.
“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component,” comment Kaspersky Labs researchers.
The victims downloaded the compromised software between July 18 and August 4 this year, the MyCERT advisory says. NetSarang has released new versions of the software.
The products caught up in the backdoor are limited to:
• Xmanager Enterprise 5.0 Build 1232 • Xmanager 5.0 Build 1045 • Xshell 5.0 Build 1322 • Xftp 5.0 Build 1218 • Xlpd 5.0 Build 1220
“To combat the ever-changing landscape of cyberattacks NetSarang has incorporated various methods and measures to prevent our line of products from being compromised, infected, or utilized by cyberespionage groups. Regretfully, the Build release of our full line of products on July 18th, 2017 was unknowingly shipped with a backdoor which had the potential to be exploited by its creator,” a statement from NetSarang says.
MyCERT recommends that all businesses who use the affected software to stop using them immediately and apply available patches.
“Users can update by going to Help -> Check for Updates directly in their client or download the latest Build from NetSarang website.”
The latest Builds are Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224.
NetSarang is committed to its users’ privacy and has incorporated a more robust system to ensure that never again will a compromised product be delivered to its users. NetSarang will continue to evaluate and improve our security not only to combat the efforts of cyber espionage groups around the world but also in order to regain the trust of its loyal user base.”
Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
“We are working with Kaspersky Labs to further evaluate the exploit and will update our users with any pertinent information,” NetSarang concludes.