How a Security Company Zapped Zombie Zero

By Karen A. Frenkel  |  Posted 08-18-2014 Email Print this article Print

A security company has discovered Chinese malware, called Zombie Zero, which attacks shipping companies through handheld scanners used to track shipped inventory. The malware has hit a large manufacturing company as well as seven customers that use handheld scanners. The security company that made the Zombie Zero discovery is TrapX, formerly known as CyberSense. It says a Chinese manufacturer that sells proprietary hardware for handheld scanners sent Zombie Zero through Windows XP installed at its location in China. The malware also can be downloaded from the Chinese manufacturer's support Website. The Chinese manufacturer sold the scanners, which included a variant of this malware, to a large manufacturing company and other customers. "Attacks keep slipping through corporate defense-in-depth architectures because legacy security products aren't built to adapt to threats in real time," TrapX says, "Today's threats are as fluid as today's clouds and data centers. The next generation of security technologies must be just as elastic." Below we describe the "nation-state sponsored" attack, as TrapX characterizes it, and steps taken in its wake. For TrapX's report on this incident (registration required), click here.

  • Infected Scanners Compromise Network

    The Zombie Zero attack began when an infected handheld scanner was connected to the manufacturer's wireless network. Using the server message block protocol, the scanner immediately launched an automated attack of the corporate environment.
    Infected Scanners Compromise Network
  • Scanned Data Rerouted

    The malware copied scanned data and sent it via a command-and-control connection to a Chinese botnet. The botnet terminated at the Lanxiang Vocational School, which has allegedly been implicated in the Operation Aurora attack and multiple attacks on Google.
    Scanned Data Rerouted
  • Chinese Botnet Launched Second Attack

    The botnet downloaded a second payload and established a more sophisticated command-and-control connection to the company's finance servers. That gave cybercriminals access to corporate financial data, customer data, detailed shipping and manifest information.
    Chinese Botnet Launched Second Attack
  • Financial Data of Target Breached

    The manufacturer's financial and CRM data were compromised, giving the attacker complete visibility into the shipping and logistics of the company's worldwide operations.
    Financial Data of Target Breached
  • Victim's Line of Defense

    The manufacturer had two Websites with scanners. It had a firewall at one site between the corporate production network and the end-point scanner wireless network, but not at the other site.
    Victim's Line of Defense
  • Security Precautions in Place

    The manufacturer used leading security brands for IPS, IDS, mail gateways and agent-based products, but ….
    Security Precautions in Place
  • Security Certificates Failed

    Although the shipping and logistics target installed security certificates on its scanner devices for network authentication, the devices were already infected with malware, so the certificates were completely compromised.
    Security Certificates Failed
  • Discovery of the Attacks

    The attacks were discovered when the victim conducted a proof of concept of TrapX 360 at the first site. Within 90 minutes, TrapX 360 detected the attacks and completed an automated forensics analysis. At the second site, where there was no firewall, the product detected and revealed the anatomy of the attack within 27 seconds.
    Discovery of the Attacks
  • An Array of Honeypots

    TrapX 360 emulates hundreds of nodes and services across the network. It also senses hostile scans and spins up targeted honeypots. These techniques act as malware tripwires, the company says.
    An Array of Honeypots
  • Completing the Kill Chain

    An emerging defense philosophy says that if security departments institute the right defense and the right processes to stop attacks early, they can prevent the kill chain and later consequences, like mass infections and data breaches.
    Completing the Kill Chain
  • Eliminating Blind Spots

    Because its product operates in real-time and buffers key assets from attacks, TrapX says it is now possible to eliminate blind spots by breaking the kill chain flow.
    Eliminating Blind Spots
Karen A. Frenkel writes about technology and innovation and lives in New York City.


Submit a Comment

Loading Comments...
Thanks for your registration, follow us on our social networks to keep up-to-date