MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2017

MA-678.082017: MyCERT Advisory – ShadowPad : Supply Chain Attack in Asia Pacific

Date first published: 21/8/2017


1.0    Introduction

Kaspersky Labs has issued a press release along with a joint statement with NetSarang Company regarding a security exploit which affected several recent versions of NetSarang Server Management software products, used by hundreds of large businesses from various sectors worldwide

MyCERT has also received  report from trusted party regarding potential victims with IP addresses originating from Malaysia who downloaded the above NetSarang company's products from 18th of July to 4th of August.

2.0    Impact
The backdoor dubbed as ShadowPad is one of the largest known supply-chain attacks. Had the threat not been detected and patched so quickly, it could have potentially targeted hundreds of organizations worldwide.

The backdoor planted in NetSarang's software, when activated, allowed attackers to download additional malware modules or steal confidential corporate data.

3.0 Affected Products
The specific Builds that were released on July 18, 2017 were affected, as listed below:

•    Xmanager Enterprise 5.0 Build 1232
•    Xmanager 5.0 Build 1045
•    Xshell 5.0 Build 1322
•    Xftp 5.0 Build 1218
•    Xlpd 5.0 Build 1220

Build numbers before and after the above Builds were not affected.

4.0 Recommendations
4.1 It is highly recommended to cease using the software with Builds listed above. The exploit was effectively patched with the release of latest Build on August 5th.

4.2 User can update by going to Help -> Check for Updates directly in their client or download the latest Build from NetSarang website at: https://www.netsarang.com/download/software.html.
The latest Builds are Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224.

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999@cybersecurity.my or mycert@mycert.org.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT
Web: http://www.mycert.org.my
Twitter: http://www.twitter.com/mycert
Facebook: http://www.facebook.com/mycert.org.my
Cyber999 Mobile Apps: IOS Users or Android Users

5.0    References
•    https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html
•    https://usa.kaspersky.com/about/press-releases/2017_shadowpad-attackers-hid-backdoor-in-software-used-by-hundreds-of-large-companies-worldwide
•    http://www.zdnet.com/article/shadowpad-backdoor-in-software-used-by-the-enterprise-exposed/