Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/10/2014
10:32 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Chinese Hackers Target Logistics & Shipping Firms With Poisoned Inventory Scanners

'ZombieZero' still actively pushing rigged handheld scanning devices, reviving concerns of doing business with Chinese tech companies.

Malware-poisoned handheld inventory scanners from China are stealing information from logistics and shipping firms as well as manufacturing companies around the globe in an attack campaign dubbed "ZombieZero" by the researchers who discovered it.

A Chinese manufacturer that sells the popular devices for scanning items shipped or transported apparently has been implanting the malware in its products, as well as via the Windows XP embedded version of the software on the scanner maker's support website. Researchers from TrapX Security, which today provided details of the attacks, say scanners with another variant of the same malware were also sold to a large robotics firm and seven other companies, which they did not name.

Logistics firms use the scanners to track shipments as they are loaded and unloaded from ships, trucks, and airplanes.

"The attackers were exfiltrating all [stolen information] to a database," says Carl Wright, general manager of TrapX. "They are very focused on manifests -- what's in it, what's the value of it."

Once the scanner is connected to the victim's wireless network, it attacks the corporate network via the server message block (SMB) protocol, and the scanned information, including origin, destination, contents, value, and shipper and recipient information, is sent to a botnet that terminates at the Lanxiang Vocational School purportedly located in the Shangdong province in China. The school has been linked to the infamous Operation Aurora cyber espionage campaign that hit Google, Adobe, Intel, and many other major US firms more than four years ago, and is located one block from the inventory scanner manufacturer in question, according to TrapX.

The botnet then sends the scanner a second piece of malware that targets the victim's corporate financial, customer, shipping, and manifest information. "That was able to take control of the ERP [enterprise resource planning] system," he says. This would, among other things, allow the attacker to make a package "disappear" or "reappear," he says. The attack targets a specific, major ERP system, says Wright, who declined to reveal the name of the product due to an investigation into the attacks.

He says it's difficult to discern if the attackers are after the logistics firms themselves or their customers.

"The exfiltration of all financial data as well as CRM data was achieved providing the attacker complete situational awareness and visibility into the shipping and logistics targets worldwide operations," TrapX said in a report it published today on the attacks.

The poisoned inventory scanners echo previous concerns raised by the US government about doing business with Chinese technology companies. Huawei, Lenovo, and ZTE were among those firms called out by US officials in the past amid concerns their products could be backdoored with cyberspying malware.

"We notified the manufacturer of the said hardware and software. They denied culpability," Wright says. "And two days ago, we saw the same APT code had morphed and hit a couple of manufacturing companies looking for other things. The same codebase."

Meanwhile in a separate development, a GAO report (PDF) warned of the vulnerability of US shipping ports to cyberattack, according to a report today in the The Wall Street Journal. The GAO says the Department of Homeland Security must do more to shore up security in maritime and other ports.

"It has been recognized for some time that the administrative and controls systems networks at shipping ports are not only vulnerable, but high-priority targets for malicious activity. Particularly concerning is the threat terrorist organizations present to these networks and the physical and information networks that are present," says Mike Brown, vice president and general manager of the global public sector at RSA. "Over the past couple of years, DHS has begun to award funding [grants] to port authorities who prioritize cyber security efforts in their grant submissions."

Meantime, TrapX says one ZombieZero victim company running 48 inventory scanners from the unnamed Chinese manufacturer found that 16 of the devices were infected with the malware. A firewall sits between the inventory scanner wireless network and the corporate network at one of its sites, and the firewall blocked the initial attack attempt. But then came a second attack via the RADMIN protocol, or port 4899, that bypassed the firewall. Nine corporate servers were infected with the cyberspying malware. Its second site was defenseless -- no firewall -- so the attack went through SMB and infiltrated the corporate network and ERP servers, according to TrapX.

"All scanner attacks targeted very specific corporate servers. The attack looked for and compromised servers that had the word 'finance' in their Host name," according to the report.

TrapX today also released a free tool for forensics investigators called Threat Inspector. "We've cobbled together some top open source tools and put in a front-end wizard that will allow any engineer to get forensics reports off infected machines," TrapX's Wright says.

The full report on ZombieZero is available here.

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CharlieM299
50%
50%
CharlieM299,
User Rank: Apprentice
7/11/2014 | 12:16:47 PM
Great way to kill your business with everyone in the world.
Who will want to buy anything from China with electronics in it?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/11/2014 | 6:52:19 AM
Re: Supply Chain Attacks: Handheld Scanners to Datacenter Servers
Good point, @LUFU. I also think that politically, the US became a little less loud about it after the NSA revelations--specifically, TAO's ops.
LUFU
100%
0%
LUFU,
User Rank: Apprentice
7/10/2014 | 6:44:21 PM
Re: Supply Chain Attacks: Handheld Scanners to Datacenter Servers
@Kelly - I think concerns about using Chinese-made technology has never really abated, at least within the US defense industry. Where it has probably been downplayed somewhat has been within the commercial sector with security taking a backseat to doing business. That may change as the threats are exposed.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/10/2014 | 4:21:42 PM
Re: Supply Chain Attacks: Handheld Scanners to Datacenter Servers
@CrypTodd, I definitely had the same thoughts. This definitely has shades of TAO techniques, but with what appears to be an interest in who's shipping what and to whom. I also wonder if it will revive concerns about using Chinese-made technology that could be tainted with malware. And you're right--bad guys looking to make a buck could also employ these same techniques (if they're not already). #supplychain 
CrypTodd01
100%
0%
CrypTodd01,
User Rank: Apprentice
7/10/2014 | 3:01:06 PM
Supply Chain Attacks: Handheld Scanners to Datacenter Servers
Super-interesting article - I have not seen much in the way of supply chain compromises until this news came along.  This same attack technique (modifying firmware to go after systems) could be used against other pieces of the IT supply chain (NIC cards, server firmware).  I think some of the NSA Tailored Access Operations (TAO) catalog had similar techniques.  It is simply a matter of time before bad guys use the techniques pioneered by sophisticated state actors against other pieces of IT infrastructure that contain sensitive information (if they are not doing so already).  IT shops had better start attesting the integrity of your infrastructure or risk having it compromised. 

CrypTodd
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...