Yup, by all means, don't use Kaspersky in the US government. Mmm-hmm.
Dips.
Researchers at Kaspersky Lab have found a well-hidden backdoor in NetSang's server management software. The secret access route, dubbed Shadowpad by its discoverers, lurks in the nssock2.dll library within NetSarang's Xmanager and Xshell software suites. It pings out every eight hours to a command-and-control server with the …
"Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator," NetSarang said in a statement.
A somewhat ambiguous statement that could, should one be uncharitable, not rule out the vendor as the creator. At best their QA is shit. At worst their practices are perhaps patriotic (just not your patriot).
Perfection is a fool's dream.
They were up against an intelligent attacker not a random zluttz.
Good for holding-up hands and being honest. Give credit where it's due.
Even supposing, like you did, that NetSerang were the actual perps. (Eh. Suddenly switch business model to Kamikaze?) then the issue is out in the open and visible.
"Patriotic"? Your trollisms don't work here mate.
Perfection is a fool's dream.
They were up against an intelligent attacker not a random zluttz.
I'm not sure their customers want perfection, but something they can rely upon to do what it says on the tin would be nice. And since this particular tin says "Secure UNIX/Linux connectivity solution", I think their customers have the right to be angry.
Since this is hardly the first time that backdoors have been incorporated into products and firmware in the supply chain, it is high time that hardware and software manufacturers took this sort of issue more seriously in their QA processes. And I think those that don't will soon be seeing the consequences on their bottom line.
> not rule out the vendor as the creator
If you haven't yet definitively identified the source it is foolish to rule out the possibility that it originated in house. An employee who has been suborned, even one who has been blackmailed - 'here's a picture of your pretty daughter on her way to school. Here's a picture of one of the pretty girls our partner organisation 'makes use of'. You do want to include this code in the next revision don't you?".
It does, of course, militate against current PR 'best' practice not to assume the least unfavourable light until you know for sure exactly what happened, but its not a bad thing.
There's also the small point that if you are actively tracking down the bad guys, it may be a mistake to let them know how close you are getting in case they run before law enforcement catches them.
A suborned employee is not (in any real sense) "the vendor". A suborned employee is just a mechanism for how the external attacker places in the code in the product.
"The vendor as creator" was my initial thought on reading the headline - I thought it was a debugging tool that was left in place in the release. However, debugging tools don't tend to conceal their access to C&C servers like this....
What is a DLL? Sounds like a really secure way to build an OS.
well, you have a choice...
1. use a shared file of routines and functions to keep programs smaller by compiling dynamic.
2. make every program larger by including what could be shared code into all of them and compile everything static.
Which is the nightmare scenario for Windows update users.
"Set up a shadow file system in the registry"
WTF?
Would that be even possible in any other main stream OS (that didn't have an everything-and-the-kitchen-sink "database" in it)?
If vendors had to buy IP addresses in a set range (non geographic) for specific uses we could more readily asses network traffic for strange activity. Most of these backdoors will be using IP addresses that are not the original vendors so if I install some software that can only connect to IP-Land registered addresses X and Y any attempts to connect to addresses outside that are non standard traffic and should flag up. Critical software is not a browser; it should only ever perform known actions to known destinations.
That's more or less what your firewalls are for, it's just that most people still assume firewalls are only meant to protect from external threats.
So they still allow, for instance, all servers to connect to any IP in the world using the basic protocols (http/https for instance).
Seems that financial client of Kaspersky was actually doing thing rights, and actually investigated blocked outgoing traffic to the point of hiring Kaspersky to figure out what was causing it.
But in the end your idea is just another approach that would generally not be implemented for the same reasons -- so many people assume traffic originating from their own systems is legitimate by default.
"It is assumed someone managed to hack into NetSarang's operations and silently insert the backdoor"
It is assumed is it, without any evidence and just who did the assuming. A more likely scenario is that it was done by the NetSang developers at the behest of the state security apparatus. Or else they got a security audit done by some Israeli cyber threat company with links to the self same state security apparatus.
Only mail servers connected to the Internet should be performing regular TXT record lookups. That being said, Mac's do it as well occasionally for whatever reason and those domains can be filtered out.
DNS TXT records are a common way of performing command and control functions or of exfiltrating data via DNS Tunneling.
But you have to be logging all DNS queries and non-aware companies will complain hat it takes too much disk space. 'Cause, you know, it's better to be hacked and not know about it. That way you don't have to notify anyone.
Good luck anyway, in any 2000+ employees company, with detecting an 8 hours period DNS lookup, amongst all the shit going to DNS, due to wrong configurations/design of all products/OSes used by everyone ...
Dunno whether TXT loockups are common way, but this is actually quite stealth method of remote activation ...
Albeit perhaps not widely known, DNS used for data exfiltration or cloaked communication by malwares is not exactly a new technique but has been used for some time unfortunately, with some high-profile retailers having their point-of-sale machines being targeted by such crapware last year.
Thanks to algorithms and all those new analytics frameworks, there are solutions available today to help, by combining DNS payload and traffic analysis to identify exfiltration attempts. Though you still need to have visibility into your DNS traffic and control your recursive DNS infrastructure.
Not giving names, I'm working for a vendor of such solutions. :-)