Zero-day vulnerability in Xftp

Backdoor

A backdoor code was detected in NetSarang software on August 4, 2017. Next day, on August 5 the developer has released an update to resolve the issue. As of August 15, there is an evidence, that the code has being utilized by one instance in Hong Kong.

The malicious code was delivered to the vendor's clients  by compromising the software update mechanism. The backdoor was included into updates, issued on July 18, 2017. The update contained ShadowPad backdoor.

Known malware:

ShadowPad backdoor

Vulnerability details

Advisory: SB2017081602 - Backdoor in NetSarang software

Vulnerable component: Xftp

CVE-ID:

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Description:

The vulnerability allows a remote attacker to gain complete control over affected system.

The weakness exists due to presence of backdoor functionality in the nssock2.dll library. After installation, the backdoor ShadowPad activates itself by sending a DNS TXT request for a specific domain. After successful activation, a remote attacker can gain full access to the affected system.

The backdoor has the ability to connect to a malicious C&C server and executed commands, sent by malicious actors.

The backdoor was discovered on August 4, 2017 by Kaspersky Labs researchers.

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.