Learning from Zombie Zero Attacks Targeting ERP Systems

In my previous post I talked about the discovery of targeted malware embedded in physical scanners that were sold to shipping and logistics companies. Once operational the malware searched the victim’s network for ERP systems, compromised them (from the report it would appear all systems were compromised; and based on our own experience that has been the case in our engagements) and coped the data from these systems back to command and control servers, reportedly based in China.

It is tempting to think that this is an isolated problem only specific to one industry, but the reality is all businesses have hardware attached to their network that runs or has access to their critical systems and infrastructure. Counterfeit equipment is a long standing problem, with these fakes being hard to detect from the real thing. With the practice of the hardware being assembled by one company and the firmware being produced by another there is even more room for malicious software or instructions being added to printers, switches, routers and other equipment that exists in almost every network today.

Continue reading

Share Button

Holding the attack in your hand, how organization’s ERP systems are the target of Zombie Zero

Picture someone walking around a section of your business and simply scanning your business critical data, financial records and other ERP information away. It sounds like something out of Star Trek, but in a report published by Antone Gonsalves on CSO Online this has already happened to at least half a dozen large European and US Companies.

What happened? These companies all bought scanners from the same Chinese company for use in their shipping departments. These scanners were later discovered to have malware installed on them and when the scanners where connected into the businesses network and operated the malware was activated. This targeted malware, dubbed Zombie Zero, consisted of the three stage attack.

Stage one had the scanner look for and try to compromise any server with the word ‘finance’ in the host name. This searching and compromising activity would continue until the malware discovered and compromised the host, which each time was an ERP system. At this point stage two would begin.

Continue reading

Share Button