A new battle front just opened up in the corporate espionage cyberwar. Security firm TrapX has released information on a new attack that appears to be focused on shipping and logistics firms, and is being delivered via hand-held inventory scanners made by a specific manufacturer in China. The wireless devices appear to contain malware that once connected to a company’s corporate network targets enterprise resource planning (ERP) servers and attempts to compromise them through a variety of known weaknesses. If successful it then facilitates the installation of command-and-control malware that provides a backdoor on the compromised server to an unidentified location in China. The manufacturer of the scanners has denied the devices were intentionally shipped with the malware, but their close proximity to the Lanxiang Vocational School (allegedly tied to other infamous hacking incidents) has raised security eyebrows everywhere.
What this means for you:
It’s a safe bet that you probably won’t be directly affected by this particular hacking vector unless you are one of the handful of firms who bought and used the devices before the manufacturer rectified the issue. However, this is just another crack in the dangerously swollen dike that is technology security, and the white hats are rapidly running out of fingers and toes with which to plug the holes. The fact that the Chinese have targeted supply chain technologies means they are fishing for big data to steal, and the amount of money (and power) at stake is enough for the bad guys to continually search out new ways to compromise and breach businesses. They know they have the good guys over a barrel, as we have to continually try to guess where the next mole will pop up in a playing grid with an infinite number of holes. Will we get to a point that we have to run a malware scan on anything with electronics and a means to transmit data? It’s starting to look that way.