How a Security Company Zapped Zombie Zero

How a Security Company Zapped Zombie Zero

Infected Scanners Compromise NetworkInfected Scanners Compromise Network

The Zombie Zero attack began when an infected handheld scanner was connected to the manufacturer’s wireless network. Using the server message block protocol, the scanner immediately launched an automated attack of the corporate environment.

Scanned Data ReroutedScanned Data Rerouted

The malware copied scanned data and sent it via a command-and-control connection to a Chinese botnet. The botnet terminated at the Lanxiang Vocational School, which has allegedly been implicated in the Operation Aurora attack and multiple attacks on Google.

Chinese Botnet Launched Second AttackChinese Botnet Launched Second Attack

The botnet downloaded a second payload and established a more sophisticated command-and-control connection to the company’s finance servers. That gave cybercriminals access to corporate financial data, customer data, detailed shipping and manifest information.

Financial Data of Target BreachedFinancial Data of Target Breached

The manufacturer’s financial and CRM data were compromised, giving the attacker complete visibility into the shipping and logistics of the company’s worldwide operations.

Victim's Line of DefenseVictim’s Line of Defense

The manufacturer had two Websites with scanners. It had a firewall at one site between the corporate production network and the end-point scanner wireless network, but not at the other site.

Security Precautions in PlaceSecurity Precautions in Place

The manufacturer used leading security brands for IPS, IDS, mail gateways and agent-based products, but ….

Security Certificates FailedSecurity Certificates Failed

Although the shipping and logistics target installed security certificates on its scanner devices for network authentication, the devices were already infected with malware, so the certificates were completely compromised.

Discovery of the AttacksDiscovery of the Attacks

The attacks were discovered when the victim conducted a proof of concept of TrapX 360 at the first site. Within 90 minutes, TrapX 360 detected the attacks and completed an automated forensics analysis. At the second site, where there was no firewall, the product detected and revealed the anatomy of the attack within 27 seconds.

An Array of HoneypotsAn Array of Honeypots

TrapX 360 emulates hundreds of nodes and services across the network. It also senses hostile scans and spins up targeted honeypots. These techniques act as malware tripwires, the company says.

Completing the Kill ChainCompleting the Kill Chain

An emerging defense philosophy says that if security departments institute the right defense and the right processes to stop attacks early, they can prevent the kill chain and later consequences, like mass infections and data breaches.

Eliminating Blind SpotsEliminating Blind Spots

Because its product operates in real-time and buffers key assets from attacks, TrapX says it is now possible to eliminate blind spots by breaking the kill chain flow.

Karen A. Frenkel
Karen A. Frenkel
Karen A. Frenkel is a contributor to CIO Insight. She covers cybersecurity topics such as digital transformation, vulnerabilities, phishing, malware, and information governance.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles