How a Security Company Zapped Zombie Zero
Infected Scanners Compromise Network
The Zombie Zero attack began when an infected handheld scanner was connected to the manufacturer’s wireless network. Using the server message block protocol, the scanner immediately launched an automated attack of the corporate environment.
Scanned Data Rerouted
The malware copied scanned data and sent it via a command-and-control connection to a Chinese botnet. The botnet terminated at the Lanxiang Vocational School, which has allegedly been implicated in the Operation Aurora attack and multiple attacks on Google.
Chinese Botnet Launched Second Attack
The botnet downloaded a second payload and established a more sophisticated command-and-control connection to the company’s finance servers. That gave cybercriminals access to corporate financial data, customer data, detailed shipping and manifest information.
Financial Data of Target Breached
The manufacturer’s financial and CRM data were compromised, giving the attacker complete visibility into the shipping and logistics of the company’s worldwide operations.
Victim’s Line of Defense
The manufacturer had two Websites with scanners. It had a firewall at one site between the corporate production network and the end-point scanner wireless network, but not at the other site.
Security Precautions in Place
The manufacturer used leading security brands for IPS, IDS, mail gateways and agent-based products, but ….
Security Certificates Failed
Although the shipping and logistics target installed security certificates on its scanner devices for network authentication, the devices were already infected with malware, so the certificates were completely compromised.
Discovery of the Attacks
The attacks were discovered when the victim conducted a proof of concept of TrapX 360 at the first site. Within 90 minutes, TrapX 360 detected the attacks and completed an automated forensics analysis. At the second site, where there was no firewall, the product detected and revealed the anatomy of the attack within 27 seconds.
An Array of Honeypots
TrapX 360 emulates hundreds of nodes and services across the network. It also senses hostile scans and spins up targeted honeypots. These techniques act as malware tripwires, the company says.
Completing the Kill Chain
An emerging defense philosophy says that if security departments institute the right defense and the right processes to stop attacks early, they can prevent the kill chain and later consequences, like mass infections and data breaches.
Eliminating Blind Spots
Because its product operates in real-time and buffers key assets from attacks, TrapX says it is now possible to eliminate blind spots by breaking the kill chain flow.
