How a Security Company Zapped Zombie Zero
The Zombie Zero attack began when an infected handheld scanner was connected to the manufacturer’s wireless network. Using the server message block protocol, the scanner immediately launched an automated attack of the corporate environment.
The malware copied scanned data and sent it via a command-and-control connection to a Chinese botnet. The botnet terminated at the Lanxiang Vocational School, which has allegedly been implicated in the Operation Aurora attack and multiple attacks on Google.
The botnet downloaded a second payload and established a more sophisticated command-and-control connection to the company’s finance servers. That gave cybercriminals access to corporate financial data, customer data, detailed shipping and manifest information.
The manufacturer’s financial and CRM data were compromised, giving the attacker complete visibility into the shipping and logistics of the company’s worldwide operations.
The manufacturer had two Websites with scanners. It had a firewall at one site between the corporate production network and the end-point scanner wireless network, but not at the other site.
The manufacturer used leading security brands for IPS, IDS, mail gateways and agent-based products, but ….
Although the shipping and logistics target installed security certificates on its scanner devices for network authentication, the devices were already infected with malware, so the certificates were completely compromised.
The attacks were discovered when the victim conducted a proof of concept of TrapX 360 at the first site. Within 90 minutes, TrapX 360 detected the attacks and completed an automated forensics analysis. At the second site, where there was no firewall, the product detected and revealed the anatomy of the attack within 27 seconds.
TrapX 360 emulates hundreds of nodes and services across the network. It also senses hostile scans and spins up targeted honeypots. These techniques act as malware tripwires, the company says.
An emerging defense philosophy says that if security departments institute the right defense and the right processes to stop attacks early, they can prevent the kill chain and later consequences, like mass infections and data breaches.
Because its product operates in real-time and buffers key assets from attacks, TrapX says it is now possible to eliminate blind spots by breaking the kill chain flow.