As seen with the current trending news of hacking, it has now entered into a new era of multi-dimensional hacking which ensures that the attack is successful and affects many people. One of such innovations in hacking is the recent discovery of a backdoor in server management system.
Cyber criminals managed to take control over the update mechanism of a popular server management system and thus create a backdoor in server management system. This backdoor lasted for 17 days until it was discovered by security experts after it had delivered enough harm.
Given the name of ShadowPad, this backdoor in server management system provides hackers complete control over data and networks. This backdoor was discovered hidden behind a famous software sold by NetSarang. This is used by various banks, media houses, power sector firms and in many other vital places.
Thanks to security researchers and experts at Kaspersky Labs who discovered this well-integrated backdoor before it caused further destruction for famous firms. According to the researchers, a vulnerability in the update mechanism was exploited.
Kaspersky researchers reported all their findings privately to the developers at NetSarang on August 4th who then fixed the vulnerabilities and rolled out updates. The researchers seemed astounded on the ingenuity of the backdoor in server management system. The backdoor actually sent out information every 8 hours of the affected systems and servers and their details.
On explaining how the backdoor works, the researchers told that the backdoor was activated by a DNS TXT record on a specific domain name. This name is mostly based on the current date and then a DNS lookup is performed on it.
Following this, the command and control DNS server sends back the decryption key for activating the backdoor in the server management system successfully. Now the hacker has complete control over the registry entries, processes and much more.
Now the question is: How can you detect if you are affected by this backdoor in server management system?
The answer to this is: First of all ensure updates to your NetSarang’s packages and secondly, check any DNS requests from your organization’s server to the following list of domains and consequently, block them immediately:
- ribotqtonut[.]com
- nylalobghyhirgh[.]com
- jkvmdmjyfcvkf[.]com
- bafyvoruzgjitwr[.]com
- xmponmzmxkxkh[.]com
- tczafklirkl[.]com
- notped[.]com
- dnsgogle[.]com
- operatingbox[.]com
- paniesx[.]com
- techniciantext[.]com
Stay updated and stay safe!
