Infected Chinese inventory scanners ships off logistics intel

A Chinese manufacturer has been accused of implanting malware that steals supply chain intelligence in its hand-held scanner firmware.

Security firm TrapX says infected scanners have been sold to eight unnamed firms including a large robotics company.

Variants of the malware broke into enterprise resource planning platforms to steal financial, logistical and customer information which was exfiltrated to the unnamed accused Chinese manufacturer located in Shandong province, a block from the Lanxiang Vocational School said to be the headquarters of the Google Aurora attacks.

The manufacturer denied knowledge that its scanners and website-hosted software were infected.

Infected scanners once connected to one firm's wireless network attacked its corporate network via the SMB protocol, morphing to infect using the RADMIN protocol more than nine servers after it was initially blocked by a firewall.

Sixteen of the 48 scanners deployed at the firm were infected, TrapX found, which successfully sought out and compromised host names containing the word finance and siphoning off the logistical and financial data stored within.

TrapX

A "comprehensive" command and control link was then established to a bot terminating near Lanxiang before another stealthier connection was made between the hacked financial and a Beijing drop.

"Exfiltration of all financial data and ERP data was achieved, providing the attacker complete situational awareness and visibility into the logistic/shipping company’s worldwide operations," the report Anatomy of the Attack: Zombie Zero (PDF) read.

TrapX suspected the attacks dubbed Zombie Zero were backed by Beijing in a bid to gain intelligence on either logistics firms or their customers.

One of the hacked firms deployed the security company's network of targeted honeypots to capture the attackers' activity which it described as creating security through "deception and interdiction". ®