NetSarang
NetSarang server tools shipped with ShadowPad backdoor.
Legitimate updates for NetSarang's popular server management software (Xmanager, Xshell, etc.) were compromised to include the ShadowPad backdoor. This allowed attackers to potentially control and exfiltrate data from infected systems in highly sensitive organizations worldwide. The backdoor was discovered after being active for a short period.
- Date
- 2017-07-18 to 2017-08-04
- Category
- Commercial
- Target Surface
- Build/CI
- Insertion Phase
- CI/CD
- Impact
- Backdoor
- Cause
- Build system compromise
What Was Affected
Package
NetSarang
ComponentApplication
Artifact typebinary archive
Domain typeproject download host
Domain
netsarang.com
Compromised Versions
- Xmanager Enterprise 5.0 Build 1232
- Xmanager 5.0 Build 1045
- Xshell 5.0 Build 1322
- Xftp 5.0 Build 1218
- Xlpd 5.0 Build 1220
Incident Context
- Motive
- Espionage
- Attribution
- Nation-state
- Transitive
- No
- User Impact
- 10000
- Observed Duration
- 17 days
Evidence
Compromised Artifacts
- netsarang.com/downloads/Xmanager-enterprise-5.0-build-1232.exe
- netsarang.com/downloads/Xmanager-5.0-build-1045.exe
- netsarang.com/downloads/Xshell-5.0-build-1322.exe
- netsarang.com/downloads/Xftp-5.0-build-1218.exe
- netsarang.com/downloads/Xlpd-5.0-build-1220.exe
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:db67eaef6a31d392a0240a92494c9058d864f3fc7be5b42767e5c978c690023csha256:5554bf896a8f77a2f12df4af39e7baeebb411953d4158249b87688f9c8d35ba5md5:97363d50a279492fda14cbab53429e75
External References
Source Data
Source record: proprietary/netsarang/meta.yaml