AusCERT 2018 - Finding a monster by its shadow

Sometimes, you can't see the bad guy lurking in your systems. They might have been in, done their damage and disappeared like a thief in the night. But there's always some evidence if you look hard enough and in the right place. This is the world of supply chain, or shadow, attacks.

Noushin Shabab, a cyber security researcher working at Kaspersky Lab, was part of a team that discoveredthat a South Korean, NetSarang, had been attacked using a piece of malware called "ShadowPad". NetSarang Computer Inc is a popular provider of server management tools and secure connectivity solutions for a number of large companies.

One of their customers, in the financial services sector, noted some unusual DNS traffic. As they investigated further, they discovered a couple of interesting things. Some suspicious URLs were appearing in logs and there was a specific rhythm to the traffic. As they kept digging, they discovered that a software library, called XShell, had been compromised at some point and become trojanised. That means that while XShell itself wasn't causing specific problems, it was being used to contact other servers and bring in other, more damaging software in an attempt to bypass existing security controls.

Shabab said that once NetSarang was informed that the XShell file on their servers had been compromised and was being used on attacks against their clients, the removed the file and replaced it with a version of the software that was know to be clean.

The attack was very sophisticated. It used an encrypted payload that made it harder to detect and the decryption routine, which was very small, was also hidden within the malicious software code. This information led researchers and investigators to the conclusion that the infected code was injected into the XShell software at an early stage of the software's development. It also made analysis of the code more complex, she said, as the hackers were able to manipulate the source code of the application by introducing extra bytes of data that made it harder to use the tools typically used when disassembling malware to understand how it works and where it came from.

Adding to the complexity for researchers and investigators was that the command and control services used by the malware kept changing and other parts of the damaging source code kept trying to access those servers to download more dangerous software to cause further damage to systems.

The attackers in the NetSarang case were very clever. Rather than going directly for their target, they used the supply chain to introduce malware. That thousands of other system were also compromised was part of the collateral damage of the attack.

Shabab said attacks like this are not very common as they require a high level of insider access and patience to execute successfully. The attackers need to be able to introduce their malware on the systems of a trusted partner. And, as a service provider to thousands of companies, NetSarang had strong protections in place.

The malware was also sophisticated and was designed to be hard to trace so that attribution of the attack, and therefore the intended target or targets, was very challenging.

it also highlights the lengths a determined attacker will go to and the risks all businesses face. In this case, potentially hundreds of companies, many of them among the largest in the world, were affected even though they weren't the targets. But, if the ShadowPad malware had not been detected, the potential existed for the threat actor to work their way through NetSarang's clients, executing attacks based in the ShadowPad malware.

This highlights the importance of maintaining your own security systems, in addition to the offered by service providers.

Copyright © 2018 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.