A supply chain compromise is a security pro’s worst nightmare. The thought of malware being planted on computer devices before they leave the factory sends shivers down a cyberdefender’s spine. A disturbing case of such poisoning was reported last week by researchers at TrapX.
The researchers found advanced persistent threat malware, which TrapX has dubbed “Zombie Zero,” was being used to infect a version of Windows XP embedded on devices.
Zombie Zero was being used in a highly targeted attack on the shipping and logistics industry across the globe, the company said.
The malware was delivered into shipping and logistics enterprise environments by a Chinese manufacturer responsible for selling proprietary hardware for terminal scanners used to inventory items being shipped or transported in and out many countries, according to TrapX.
The malware was delivered through the Windows embedded XP operating system installed on the hardware at the manufacturer’s location in China. The bad app also has been planted on the manufacturer’s support site, so even scanners not infected at the factory can later be poisoned remotely.
Chinese Connection
“As far as we know, this is the first APT malware introduced on a manufactured piece of hardware,” Carl Wright, executive vice president and general manager for Trapx, told TechNewsWorld.
“When an infected device is hooked up to a customer’s system, the scanner starts looking for financial information,” he explained.
It also downloads a second piece of malware used to exfiltrate data from the infected system, and to communicate with the command-and-control server of a botnet.
“The botnet terminates at a very well-known Chinese academy of science,” Wright said.
That academy — the Lanxiang Vocational School — was linked to cyberattacks on Google in 2010. It is located just several blocks from the factory where the malware was installed on the devices.That Although the hackers delivered their malicious payload with an embedded version of Windows XP, the operating system wasn’t compromised by the malware, Wright said. The two were merely packaged together.
Pernicious Problem
However, there’s concern that XP embedded is in the same boat as XP for the desktop, now that Microsoft has stopped support for the operating system.
“All systems that use XP are at risk of security breaches that exploit new vulnerabilities in XP,” Vijay Basani, president and CEO of EiQ Networks, told TechNewsWorld. “We can expect additional security breaches like this in the future, because Microsoft has officially said they will no longer provide security patches for XP systems.”
Supply chain attacks can be particularly pernicious, noted Gregory Nowak, a principal research analyst with the Information Security Forum.
“It’s a serious threat, because suppliers are typically given some form of authorized access to an organization’s back-office systems,” he told TechNewsWorld.
“For an attacker, the hardest part of a successful exploit is getting the initial access to systems that will enable the attacker to explore the organization’s infrastructure with the intent of escalating the attack,” Nowak explained. “We take great pains to deny access to anonymous attacks — but suppliers are invited in and given access.”
The problem could get worse in the future, he added.
“As the Internet of Things grows, we are going to see more Internet-enabled devices, which means more operating systems and more potential targets for malware and rootkits,” Nowak pointed out. “Any such device, no matter how humble, should be seen as a stepping stone which could be used in an escalation attack on more critical systems and data.”
Return of Miniduke
Speaking of APTs, the Miniduke is back, Kaspersky Lab reported last week. Used in campaigns that target governments and other entities, the malware’s operations were drastically curtailed last year, after Kaspersky and CrySyS Lab exposed its mechanics.
Miniduke 2014 is exploiting a new backdoor to steal a variety of file types that include image, audio, document and compressed archive files.
The malware also has changed its targeting profile, Kaspersky noted. The new Miniduke is targeting diplomatic organizations, the energy sector, telecom operators, military contractors, and individuals involved in the trafficking and selling of illegal and controlled substances.
More sophisticated shops shouldn’t be too concerned with the new Miniduke, noted John Prisco, president and CEO of Triumfant.
“If you’ve got the right detection tool, you can afford to laugh at this kind of attack,” he told TechNewsWorld.
“APTs leave a great deal of evidence — and this one is rather complex — so it will leave a very clear trail that an advanced malware detection product would find instantly,” said Prisco.
However, if you don’t have an advanced detection system and the APT gets under your roof, he added, “it’s going to run rampant and hang around for 10 months before you figure out you’re having your intellectual property stolen.”
Breach Diary
- July 7. Alabama Department of Public health notifies some 1,200 people born in 1995 and 1996 that their personal information has been compromised, and they could be potential victims of a US$20 million tax fraud ring currently being prosecuted by federal law enforcement authorities.
- July 8. Avast, a computer security software company, releases analysis of 20 used smartphones that were reset to their factory settings. Despite an expectation that all data should be deleted from the phones, the company found more than 42,000 photos, 1,000 Google searches, 750 emails and text messages, 250 contact names and email addresses, identifying information for four previous owners, and one completed loan application.
- July 8. Park Hill School District in Missouri reports that personal information of an undisclosed number of current and former students and employees is at risk after being posted to the Internet by a former employee without authorization. There is no evidence that the information was misused while exposed on the Net.
- July 9. Blue Shield of California accidentally exposes Social Security numbers of some 18,000 doctors after it failed to remove personal information in records sent to state Department of Managed Health Care. Records later were included in responses to 10 requests for public records.
- July 10. Lacoon Mobile Security reports that Gmail app for Apple iOS devices contains a flaw that allows hackers to open up the encrypted communications of the webmail program.
- July 11. Schnucks, a food store chain in the St. Louis area is ordered to compensate victims of data breach between $300,000 and $500,000.
- July 11. U.S. government says no personal information on federal employees was compromised in March attack by Chinese hackers on computer systems of the Office of Personnel Management and Department of Homeland Security.
- July 11. China Central Television, a state-run broadcaster, claims the iPhone’s location-tracking function is a “national security concern.”
Upcoming Security Events
- July 16. Identify and Combat Targeted Attacks. 1 p.m. ET. Webinar sponsored by OpenDNS. Free with registration.
- July 16. The Digital Attack Map: Seeing the Advanced Threat Landscape. 11 a.m. ET. Webinar sponsored by Arbor Networks. free with registration.
- July 17. Black Hat USA Preview. 2 p.m. ET. Webinar. Free with registration.
- July 19. B-Sides Cleveland. B side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd., Cleveland Heights, Ohio. Free.
- July 21. Living with Cyber Insecurity: Reducing the National Security Risks of America’s Cyber Dependencies. 4 p.m.-5:30 p.m. News conference and panel discussion sponsored by Center for a New American Security. American Association for the Advancement of Science, 1200 New York Ave. NW., Alberson/Haskins Conference Room, Washington, D. C. Free.
- July 23. Data Breach: HIPAA and Beyond. 1 p.m. ET. Webinar sponsored by Davis Wright Tremaine. Free with registration.
- July 23. The Social Impact of Open Data. Noon-1:30 p.m. Panel discussion sponsored by The Center for Data Innovation and the Sunlight Foundation. 1101 K St. NW., Suite 610A, Washington, D.C. Free with registration.
- Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
- Aug. 5-6. Fourth Annual Cyber Security Training Forum. Double Tree Hilton Hotel, Colorado Springs, Colo.
- Aug.5-6. B-Sides Las Vegas. Tuscany Suites and Casino, Las Vegas. Free.
- Aug. 7-10. Defcon 22. Rio Hotel & Casino, Las Vegas. Registration: $220.
- Aug. 16-17. B-Sides Dubai. Dubai World Trade Center. Free.
- Aug. 23. B-Sides Minneapolis-St. Paul. Nerdery! Free with registration.
- Aug. 29-30. B- Sides Hyderabad. Hyderabad International Convention, India. Free with Registration.
- Sept. 12. Suits and Spooks London. Blue Fin Building, Southwick, London, U.K. Registration: to July 31, Pounds 135; after July 31, Pounds 200.
- Sept. 6-7. B-Sides Dubai. Move n Pick Jumeirah Hotel, Dubai. Free.
- Sept. 13. B-Sides Memphis. Southwest Tennessee Community College, 5983 Macon Cove, Memphis, Tenn. Free.
- Sept. 13. B-Sides Augusta. Georgia Regents University, Science Hall, 2500 Walton Way, Augusta, Ga.
- Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
- Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
- Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
- Sept. 29-Oct. 3. Interop New York. Jacob Javits Convention Center, New York City. Expo: free. Total Access: early bird (July 1-Aug. 15) $2,899; regular rate (Aug. 16-Sept. 26), $3,099; Sept. 27-Oct. 3, $3,299.