Home / News & Notice

Progress Report of the nssock2.dll Backdoor
The aftermath of “ShadowPad” and how we’re moving forward

Posted Aug 30, 2017

Here at NetSarang, we’re committed to the security of our users. Not only is it implicit to the nature of our software, but the industries in which our software is deployed demands it. The backdoor which was discovered in our software on August 4th, 2017, dubbed ShadowPad, was an unfortunate and costly mistake that should have never happened. Below, we’ll go over what happened over the course of the last few weeks and how we’ve decided to move forward.

First, if you are still using the affected Build, please update your software immediately. Information on how to update your software can be found in our initial announcement here:

Discovery of the Backdoor

On August 4th, we received a tip that our software was making suspicious DNS queries. An emergency meeting for company officials was immediately called and we began an investigation. The investigation lead to the discovery of malicious code in the nssock2.dll file which was harboring a backdoor that had the potential to be exploited by its creator. Further investigation showed that it was only present in the latest Build at the time. The affected Build was taken down and an All-Hands-on-Deck meeting was called.

Phase 1 - Containment and Formal Notifications

At this point, our number 1 priority became closing the backdoor, releasing a patch, and moving users off the affected Build en masse. Acting swiftly was crucial. A new build was created and was verified clean by a third party cybersecurity firm. The build was pushed to all users, even those who were using our software illegitimately.

Users who were using the affected Build, were connected to the internet, and had opted in to receive update periodically were shown a prompt informing them of the security issue and to update their software immediately. A round of emails was sent out as well. At this point, antivirus software began quarantining/deleting the affected dll file and many users were reporting that they were unable to launch the software which could be remedied by installing the latest secure Build.

Phase 2 - Continued Investigation and Monitoring

After we released the patch, we continued to monitor the situation and received inquiries from our customers and userbase as expected. Currently, there have been no direct reports to us of any critical information being stolen. Once we ensured the security of our users’ clients had been restored, our investigation turned to the source of the backdoor itself. What was clear was that we had been hit by a supply chain attack. Our network had been compromised and we were not ruling out any possibilities. We needed an independent third-party to step in and assist us in investigating the issue to ensure we were attacking this issue from all angles without bias. Therefore on August 7th, 2017, we enlisted the help of KISA (Korea Internet & Security Agency).

About four days later KISA’s investigation discovered a weak link in our network security and the probable vector from which our supply chain was compromised. There are remnants of the intrusion into our network, as well as evidence of the attacker’s attempts to hide their tracks. Currently, we do not know who the hacker is nor do we know what their motivation was. We are continuing to investigate and hope to one day bring the attacker to justice.

Phase 3 - Network Infrastructure Migration

After it became clear that our network infrastructure was compromised, we made the decision to abandon it completely. We cannot risk the security of our users so we began the process of migrating to a completely separate and new network infrastructure. Each device is being placed one-by-one into the new network infrastructure. The process is outlined below:

  1. Backup - Each device is backed up and stored offline for further investigation as required.
  2. Wipe - Once a device is backed up, it is wiped completely and prepped for introduction into our new network infrastructure.
  3. Examine - Before the device can be put into our new infrastructure, it has all the necessary components installed. The device is examined by multiple individuals ensuring that there are no lingering issues.
  4. Approval - The device goes through a final approval process and is signed off to be placed into our new network infrastructure.

Through this method, we can be sure that we’re re-starting our development with a clean slate. As of August 28th, 2017, we’ve completed roughly half of the migration.

Phase 4 - Back to Work

Since critical machines were cleared for introduction into the new network infrastructure first, we were able to slowly get back to development. Our Code Signing certificate has been reissued, and on August 25th 2017, we released another Build of our full line of software. We upgraded session file password encryption and have separated our license types into separate packages which improves deployment efficiency of our software.

We’re also improving our development policies to ensure we never again deliver a compromised package to our users. Before each release, there are a number of checks we use to make sure the outputted package from our Build machine is secure and contains nothing we don’t want included in it. Our policies include multiple checks and comparisons of source code by multiple individuals, additional antivirus scans across multiple antivirus tools via VirusTotal, a set duration pre-run monitoring of new Builds before they are released to the public, and other internal procedures.

What We Learned

The past few weeks have been rough. Not just for us, but even more so for our users. Many users have contacted us to let us know that they are moving away from our software, and we are saddened to see these users go. However, others have reached out to us with messages of encouragement and have expressed their faith in our ability to overcome and learn from our mistakes for which we are unimaginably grateful. We will work tirelessly to restore our reputation.

Thinking that one is 100% secure is hubris. Cyberattacks are continuously evolving, and thus we need to be ever-changing as well. Our hope is that ShadowPad can be source of education for organizations around the world. It is our responsibility as software developers to anticipate and preemptively prepare for what’s coming next.

As a user of NetSarang software, you have our promise that we are monitoring the situation with the utmost priority. We will utilize it as a learning experience from which we must improve and regain your trust. Thank you for using NetSarang software.