Zero-day vulnerability in Xftp
Backdoor
A backdoor code was detected in NetSarang software on August 4, 2017. Next day, on August 5 the developer has released an update to resolve the issue. As of August 15, there is an evidence, that the code has being utilized by one instance in Hong Kong.
The malicious code was delivered to the vendor's clients by compromising the software update mechanism. The backdoor was included into updates, issued on July 18, 2017. The update contained ShadowPad backdoor.
ShadowPad backdoor
Vulnerability details
Advisory: SB2017081602 - Backdoor in NetSarang software
Vulnerable component: Xftp
CVE-ID:
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-798 - Use of Hard-coded Credentials
Description:
The vulnerability allows a remote attacker to gain complete control over affected system.
The weakness exists due to presence of backdoor functionality in the nssock2.dll library. After installation, the backdoor ShadowPad activates itself by sending a DNS TXT request for a specific domain. After successful activation, a remote attacker can gain full access to the affected system.
The backdoor has the ability to connect to a malicious C&C server and executed commands, sent by malicious actors.
The backdoor was discovered on August 4, 2017 by Kaspersky Labs researchers.