The attack, baptized by Kaspersky ShadowPad, is the second attack in the shortest possible time, in which a software producer was compromised to introduce malicious code to a downstream target via legitimate update mechanisms. For a long time, security researchers had warned against such attacks; in the wild, this was then observed on a large scale at the outbreak of the Trojan Notpetya in June of this year.

NotPetya had been distributed over the update mechanism of a legitimate financial software. Where nonpety certificates were used by NotPetya, which were not properly verified by the update mechanism of the legitimate software, the malicious DLL nssock2.dll, which was trojanized with malicious code, was signed with valid certificates from NetSarang.

Away from the financial world and multinational industrial conglomerates, gamers have repeatedly struggled with similar attacks. For example, Asian online multiplayer players have repeatedly been victims of trojans who have been delivered with the installers of games like League of Legends or Path of Exile. And already in 2013 the hacking group attacked Winnti games manufacturers, in order to get the digital certificates for their software and distribute thus signed malicious code to other targets. Indices indicate that the current attack could also originate from these groups. Security researchers suspect that the attacks are coming from an organized group from China.

 

 

Who is affected, what admins should do

The affected software is Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220. The trojanized software was from 17 July to 4 August 2017 by the manufacturer to acquire. Users who use one or more of these products should shut them down as soon as possible and update the software following the instructions given in the manufacturer's security warning. Clean updates for the tools would therefore have been distributed on August 4th.
NetSarang confirms the attack on its own server. A completely new infrastructure for the preparation and delivery of software updates was put into service and the old systems were completely reinstalled. All newly installed systems would now be examined for security concerns before they are connected to the new infrastructure