'Zombie' malware targets shipping and logistics companies
The cyber security firm TrapX on Thursday said it had discovered a form of malware implanted by an unidentified Chinese manufacturers in terminal scanners designed to track inventory levels.
The firm said the malware was aimed specifically at the shipping and logistics industry.
“Weaponized malware was delivered into shipping and logistics enterprise environments from a Chinese manufacturer responsible for selling proprietary hardware for terminal scanners used to inventory items being shipped or transported in and out of many countries,” San Mateo, Calif.-based TrapX said in a statement Thursday.
“The malware was delivered through the Windows-embedded XP operating system installed on the hardware at the manufacturer's location in China and could also be downloaded from the Chinese manufacturer's support website. A variant of this malware was also sold and delivered with the same hardware product to a large manufacturing company as well as to seven other identified customers of this hardware product worldwide," it continued.
The malware, dubbed “Zombie Zero,” was then designed to look for enterprise resource planning (ERP) servers with the word “finance” in their names to compromise those, TrapX Executive Vice President and General Manager Carl Wright told PC World.
Wright added that the firm had identified seven victims of the attack, six of which are in the shipping and logistics industry.
The attack was reportedly designed to relay information from compromised ERPs back to a university in China’s Shandong Province that has previously been linked to corporate espionage, TrapX said.
“Supply chain poisoning is a serious threat because suppliers are typically given some form of authorized access to an organization’s back-office systems,” said Gregory Novak, principal research analyst at the Information Security Forum. “For an attacker, the hardest part of a successful exploit is getting the initial access to systems that will enable the attacker to explore the organization’s infrastructure with the intent of escalating the attack. We take great pains to deny access to anonymous attacks — but suppliers are invited in and given access.
“We’re not seeing more of these attacks primarily because we haven’t been detecting them yet,” Novak continued. “There are very likely similar attacks that are in place and exfiltrating data right now. This attack combined elements of advanced persistent threat, malware, rootkits, and compromised privileged access — each of these elements have been growing in sophistication individually, and they’re also being assembled into more sophisticated exploits."
Novak said he expects to see more reports like these.
“We will absolutely see more of these attacks in the future,” he said. “Any such device, no matter how humble, should be seen as a stepping stone, which could be used in an escalation attack on more critical systems and data. The supply chain is increasingly becoming the easy route for exploitation and exfiltration of intellectual property and malware. We need to see much more focus on the management of risk and security across the supply chain.”
We’ll send it to you!
Register now and get the free AS Daily.