Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese Hackers Infiltrate Firms Using Malware-Laden Handheld Scanners

Posted by timothy on from the location-location-location dept.

wiredmikey (1824622) writes China-based threat actors are using sophisticated malware installed on handheld scanners to target shipping and logistics organizations from all over the world. According to security firm TrapX, the attack begins at a Chinese company that provides hardware and software for handheld scanners used by shipping and logistics firms worldwide to inventory the items they're handling. The Chinese manufacturer installs the malware on the Windows XP operating systems embedded in the devices.

Experts determined that the threat group targets servers storing corporate financial data, customer data and other sensitive information. A second payload downloaded by the malware then establishes a sophisticated C&C on the company's finance servers, enabling the attackers to exfiltrate the information they're after. The malware used by the Zombie Zero attackers is highly sophisticated and polymorphic, the researchers said. In one attack they observed, 16 of the 48 scanners used by the victim were infected, and the malware managed to penetrate the targeted organization's defenses and gain access to servers on the corporate network. Interestingly, the C&C is located at the Lanxiang Vocational School, an educational institution said to be involved in the Operation Aurora attacks against Google, and which is physically located only one block away from the scanner manufacturer, TrapX said.

12 of 93 comments (clear)

  1. Problem traced by invictusvoyd · · Score: 5, Insightful

    The Chinese manufacturer installs the malware on the Windows XP operating systems embedded in the devices.

    1. Re:Problem traced by K.+S.+Kyosuke · · Score: 3, Interesting

      With the code size these things tend to have, you could embed an office package into it and nobody would notice. I wonder what happened to the habit of making embedded systems simple and transparent...

      --
      Ezekiel 23:20
    2. Re:Problem traced by drinkypoo · · Score: 4, Interesting

      I wonder what happened to the habit of making embedded systems simple and transparent...

      I remember some 20 years ago a friend of mine was telling me that sooner or later, your microwave would have a whole operating system on it, even though it only performed simple tasks. It was already cheaper even then to use a MCU over discrete logic for many devices which were not staggeringly complex. It's about development time. As long as we fail to demand quality, we will continue to get what is convenient to produce in quantity. Pity about quality.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Problem traced by plover · · Score: 4, Informative

      The "scanner" portion of these devices is typically an embedded system that drives a hardware sensor, and speaks USB out the back side. You could probably open one up, solder a cable to the right points on the scanner board, and you'd have exactly the simple and transparent scanner you requested.

      But because the business wants a truckload (no pun intended) of functionality out of these scanners, they need it to have more capabilities. First, it needs to be on the network, or it won't give them any benefit. Next, it needs to be multi-tasking so it can display alerts, etc. Its primary task may be to inventory the stuff coming off a truck, its other tasks may include assigning work items to line employees, displaying alerts on the supervisors' screens, punching the timeclock for breaks, and possibly even employee email. To a lot of businesses, a browser based interface lets them run whatever kind of functions they want, without the expense of continually pushing a bunch of apps out to a bunch of random machines. So taking all that together, embedded XP is one (bloated) way of meeting all that.

      So while the scanner itself is simple, it's the rest of the hardware in the device that was infested with XP and other malware.

      --
      John
    4. Re:Problem traced by saleenS281 · · Score: 2

      It would be just as, if not easier to put a backdoor in a proprietary embedded system. Unless the companies in question both demand and inspect the entire source code for their scanners, it doesn't matter WHAT is running on them.

    5. Re:Problem traced by K.+S.+Kyosuke · · Score: 2

      I fully understand how an MCU saves time over using discrete logic. That is a trivial issue. But I sort of fail to see how dealing with complex software on top of complex hardware beats using simple (not trivial!) software on top of simple hardware, perhaps with the exception of this being The Only Way for a lot of solution vendors ("What, you don't want to program in C++ with our 3GB environment? But that's how we do things!").

      --
      Ezekiel 23:20
  2. Backtrack the financials... by Etherwalk · · Score: 4, Interesting

    Check for uncanny puts and calls on the market before earnings reports come out that can be traced to related parties...

  3. Re:China-based threat actors by toejam13 · · Score: 5, Informative

    They are probably using Windows XP Embedded (XPe), which is a customizable version of the OS. Customers can strip the OS down to only the components they need, significantly reducing the footprint of the OS.

    XPe benefits from being able to use standard XP hardware drivers. Sometimes a driver simply isn't available for Linux, QNX, VxWorks or other embedded OSes. That's one reason that OS/2 based ATMs are disappearing - not because of security, but because drivers for newer card readers don't exist.

    Lastly, you'd be surprised at what a modern scanner looks like. It doesn't just read barcodes and go beep. My workplace uses scanners for inventory tracking, and they come with a full GUI where we can associate new parts with a chassis, report drives being shredded, and just about anything you can think of inventory related.

  4. Open source. by Karmashock · · Score: 2

    Really we are just seeing a failure in widely used proprietary software.

    Obscure proprietary software is less of a problem because hackers are less likely to attack it.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  5. Re:China-based threat actors by Viol8 · · Score: 2

    "Or are we talking about thespians who specialize in instilling apprehension and dread, while standing on top of dinnerware?"

    Well if they call everyone "Daaahhling!" and have endless anecdotes about how they were at the RSC with Daaahhling Larry doing a particularly evil modern day interpretation of Richard III involving hackers then that may well be the case.

  6. it isn't XP, it's an ethics problem by stokessd · · Score: 2

    If the summary is at all accurate, the manufacture built both the hardware and the software. So blaming the OS is silly. This is a case where any OS could be used, even a custom one, and they would add the spying functionality as they were building it. The real issue is buying hardware systems from unethical folks, no OS hardening in the world will help you when the manufacture controls it.

    If China doesn't improve their stand on ethics, they will be relegated to building bath toys and partial systems where their leaks and theft aren't super critical. If they hope to join the rest of the developed world, they need to get their shit together.

  7. Re:China-based threat actors by dna_(c)(tm)(r) · · Score: 2

    Sometimes a driver simply isn't available for Linux, QNX, VxWorks or other embedded OSes.

    That is actually the best argument to avoid such hardware. Rely on hardware that is open standards based, then you can reduce dependency on proprietary drivers

    The reason they have to stay with XPe is because there probably aren't any drivers for Vista/Win7/Win8/Win8.1 So much for the benefit of reusing XP drivers