Who would have thought that malware placed in handheld product scanners could jeopardize the security of enterprise resource planning (ERP) platforms? But a Chinese manufacturer stands accused of conducting such an attack, enabling firmware in the devices to harvest businesses’ financial and customer information and other proprietary data.
Dubbed “Zombie Zero” by the company that discovered the malware, analytics and threat-intelligence specialist TrapX, the software is designed to target the global shipping and logistics industry. The Chinese manufacturer delivered the “weaponized” malware into shipping and logistics enterprise environments where inventory items were being shipped or transported in and out many countries, the company said.
This type of security flaw illustrates not just the advanced technology crooks are using to get into ERP systems and company databases, but the extent to which they’ll look and find the holes in virtually every corner of a business’s operations. Whereas most malware attacks occur from outside an organization, what the Zombie Zero situation illustrates is that it can occur from inside companies as well when embedded into devices used within their facilities.
Moreover, many businesses aren’t even aware of the security problem in their ERP systems, much less have the means to detect or deter it. For B2B vendors, this can be particularly problematic in building trust with the companies in which they do business.
“The problem with legacy security technologies is that they are not able to adapt to defend against emerging threats in real time,” David Monahan, research director at Enterprise Management Associates, said in TrapX’s announcement. “Today’s threat actors are smarter than ever, morphing their attacks multiple times to achieve the goal of undermining existing security defenses. The next generation of security solutions must be just as adaptable to counter these modern threats.”
The Chinese manufacturer delivered the Zombie Zero malware through the Windows embedded XP operating system installed on the hardware at its location in China, and third parties also could download it from the manufacturer’s support website, according to TrapX, once known as CyberSense. The manufacturer also sold and delivered a variant of the malware with the same hardware product to a large manufacturing company and to seven other identified product customers worldwide, TrapX said.
Once a business attached the scanner to a wireless network and began using it, the malware automatically used the server message block protocol to attack the corporate systems, compromising security certificates. The malware scanned and copied such information as product origin, destination, contents and value and sent the data via a botnet to the Lanxiang Vocational School, which had earlier been linked to online attacks of Google. The Chinese scanner manufacturer is located blocks away from the school, TrapX said.
“The exfiltration of all financial data as well as CRM data was achieved providing the attacker complete situational awareness and visibility into the shipping and logistics targets’ worldwide operations,” TrapX said.
In a recent interview with CSO, Mariano Nunez, founder and CEO of security-services provider Onapsis, noted that protecting ERP and supply-chain management platforms, while important, is no easy task, and there are a number of challenges.
“Even in a lot of mature organizations, these ERP systems have grown organically, through individual business units creating their own systems to external systems integrated to the core via acquisitions,” he said. “Understanding the true scope and interconnectivity of these systems is a significant project.”
Indeed, the protocols these systems use are often proprietary, meaning traditional intrusion-detection systems and other technology are unable to understand the communication between the systems and distinguish good traffic from malicious traffic, Nunez said.