Malware Siphons the 'Brains' of Shipping Companies in Sophisticated Supply Chain Attack

Photo credit: Nemar74/
Photo credit: Nemar74/

A highly sophisticated, polymorphic, and advanced persistent malware dubbed "Zombie Zero" is targeting the shipping and logistics industry across the globe. Like a scourge of the reanimated, it appears to have overwhelmed traditional defenses rapidly.

According to security firm TrapX's analysis, “weaponized malware was delivered into shipping and logistics enterprise environments from a Chinese manufacturer responsible for selling proprietary hardware for terminal scanners used to inventory items being shipped or transported in and out many countries.”

The bug has been able to accomplish the exfiltration of all financial data as well as CRM data, thus providing the attacker complete situational awareness and visibility into the shipping and logistics targets’ worldwide operations – a clear industrial espionage campaign.

TrapX said that all data harvested by Zombie Zero was pushed out to a Chinese botnet that terminated at the Lanxiang Vocational School located in the China Unicom Shandong province network – the same “school” that has been linked to online attacks of Google and implicated in the Operation Aurora attack in 2010. The manufacturer, in fact, is located just blocks away from the Lanxiang Vocational School.

It’s an ingenious, Trojan Horse-style attack vector, using the outdated Windows embedded XP operating system installed on peripherals to get the malware inside the shrink-wrapped box. Because it was loaded at the manufacturer's location in China, companies would have an automatic trust of the hardware and the software that runs it.

“Supply chain poisoning is a serious threat because suppliers are typically given some form of authorized access to an organization’s back-office systems,” said Gregory Nowak, principal research analyst at the Information Security Forum, in a comment to Infosecurity. “For an attacker, the hardest part of a successful exploit is getting the initial access to systems that will enable the attacker to explore the organization’s infrastructure with the intent of escalating the attack. We take great pains to deny access to anonymous attacks – but suppliers are invited in and given access."

In all, Zombie Zero was also sold and delivered with the trojan peripheral to a large manufacturing company as well as to seven other identified customers of this hardware product worldwide, TrapX noted. Further, it could also be downloaded by unsuspecting victims from the Chinese manufacturer's support website.

Once delivered to oblivious inventory-takers and attached to the wireless network, the scanners immediately began an automated attack of the corporate environment using the server message block protocol.

“The shipping and logistics target installed security certificates on its scanner devices for network authentication but because the devices were already infected with the advanced persistent malware from the manufacturer, the certificates were completely compromised,” the firm explained. “The scanned data (origin, destination, contents, value, to, from, etc.) was copied and sent out to an established comprehensive command and control connection (CnC) to a Chinese botnet that was terminated at the Lanxiang Vocational School.”

A second payload was then downloaded from the botnet that established a more sophisticated CnC of the company's finance servers, giving the cybercriminal access to corporate financial data, customer data, detailed shipping and manifest information.

Because of the unique method of infiltration and propagation, Zombie Zero was able to evade all security measures. "The problem with legacy security technologies is that they are not able to adapt to defend against emerging threats in real-time," said David Monahan, research director at Enterprise Management Associates. "Today's threat actors are smarter than ever morphing their attacks multiple times to achieve the goal of undermining existing security defenses.”

Complicating the issue is the fact that supply-chain malware positioning has gotten more possible thanks to a change in component manufacturing.

“While there could always be a case made for how well should you trust the third party for developing a component you require, the threat today is different than the past,” said Steve Lowing, director of product management at Promisec, in an email to Infosecurity. “In the past, electronic supplying was not as sophisticated, [and had] simpler ASICS and purpose-built circuitry that was far less likely to be compromised. Today, based on a variety of factors such as cheaper materials, market economics, even the internet of things (IoT), [there has been] a commercialization of [highly vulnerable], sophisticated components that do many tasks for a small price point.”

He added that these kinds of attacks will only grow as IoT becomes reality. “While defense in depth security practices coupled with treating these devices as any other endpoint that needs to be secured will help, the problem space grows exponentially when you start trusting these devices to do more than they originally were conceived for,” he noted. “For example, a printer that can perform automatic replenishment of ink would require some form of payment or transaction capabilities. While a convenience to the consumer or business worker, that device now becomes a potential target and could be exploited by such a supply chain attacker to install a sniffer on the device that would look for payment credentials.”

Notably, and possibly a blueprint for future attacks, the Zero Zombie attack combined elements of advanced persistent threat, malware, rootkits and compromised privileged access. “Each of these elements have been growing in sophistication individually, and they’re also being assembled into more sophisticated exploits,” Novak said. “We’re not seeing more of these attacks primarily because we haven’t been detecting them yet. There are very likely similar attacks that are in place and exfiltrating data right now.”

What’s Hot on Infosecurity Magazine?