Kaspersky Lab discovered a backdoor in signed code from NetSarang Computer, a South Korean company. The software, Xmanager, is used to manage Linux/Unix applications on Windows platforms. According to Kelly Jackson Higgins in a DarkReading article,
The cyber espionage malware was embedded in one of the source code libraries of NetSarang Computer’s July 18, 2017 software builds. Its Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220, were all compromised.
NetSarang Computer’s network was apparently compromised, resulting in distribution of trusted, signed code with embedded malware (Goodin, 2017). This is now patched, and customers should apply the patch immediately.
This is an example of an attacker-created vulnerability created by attacking the supply chain instead of actual targets. As in this case, customers have no reason to believe the vendor is malicious. NetSarang Computers is not a threat agent, but a vulnerability in its security resulted in weaknesses in many organizations.
As with any organization, no security framework is perfect. We have to believe that, as target organization security strengthens, attackers will start looking at supply chain attacks. Some organizations have hundreds, or thousands, of applications installed by IT and business employees. One or more of these vendors will eventually fall victim to an attack like that experienced by NetSarang Computer. Goodin writes,
The NotPetya worm that shut down computers around the world in June used the same tactic after attackers hijacked the update mechanism for tax software that was widely used in Ukraine. Supply-chain attacks that targeted online gamers included one used to spread the PlugX trojan in 2015 and the malware dubbed WinNTi in 2013.
In this case, blocking and monitoring for anomalous traffic would likely prevent or detect backdoor activity. However, software whitelisting is still one of the best ways to minimize the number of applications you have to watch.
