Chinese Hackers Infiltrate Firms Using Malware-Laden Handheld Scanners

wiredmikey (1824622) writes China-based threat actors are using sophisticated malware installed on handheld scanners to target shipping and logistics organizations from all over the world. According to security firm TrapX, the attack begins at a Chinese company that provides hardware and software for handheld scanners used by shipping and logistics firms worldwide to inventory the items they're handling. The Chinese manufacturer installs the malware on the Windows XP operating systems embedded in the devices.

Experts determined that the threat group targets servers storing corporate financial data, customer data and other sensitive information. A second payload downloaded by the malware then establishes a sophisticated C&C on the company's finance servers, enabling the attackers to exfiltrate the information they're after. The malware used by the Zombie Zero attackers is highly sophisticated and polymorphic, the researchers said. In one attack they observed, 16 of the 48 scanners used by the victim were infected, and the malware managed to penetrate the targeted organization's defenses and gain access to servers on the corporate network. Interestingly, the C&C is located at the Lanxiang Vocational School, an educational institution said to be involved in the Operation Aurora attacks against Google, and which is physically located only one block away from the scanner manufacturer, TrapX said.

Problem traced

[invictusvoyd]

The Chinese manufacturer installs the malware on the Windows XP operating systems embedded in the devices.

Re:Problem traced

[K. S. Kyosuke]

With the code size these things tend to have, you could embed an office package into it and nobody would notice. I wonder what happened to the habit of making embedded systems simple and transparent...

Re:Problem traced

[drinkypoo]

I wonder what happened to the habit of making embedded systems simple and transparent...

I remember some 20 years ago a friend of mine was telling me that sooner or later, your microwave would have a whole operating system on it, even though it only performed simple tasks. It was already cheaper even then to use a MCU over discrete logic for many devices which were not staggeringly complex. It's about development time. As long as we fail to demand quality, we will continue to get what is convenient to produce in quantity. Pity about quality.

Re:

[K. S. Kyosuke]

I fully understand how an MCU saves time over using discrete logic. That is a trivial issue. But I sort of fail to see how dealing with complex software on top of complex hardware beats using simple (not trivial!) software on top of simple hardware, perhaps with the exception of this being The Only Way for a lot of solution vendors ("What, you don't want to program in C++ with our 3GB environment? But that's how we do things!").

Re:Problem traced

[plover]

The "scanner" portion of these devices is typically an embedded system that drives a hardware sensor, and speaks USB out the back side. You could probably open one up, solder a cable to the right points on the scanner board, and you'd have exactly the simple and transparent scanner you requested.

But because the business wants a truckload (no pun intended) of functionality out of these scanners, they need it to have more capabilities. First, it needs to be on the network, or it won't give them any benefit. Next, it needs to be multi-tasking so it can display alerts, etc. Its primary task may be to inventory the stuff coming off a truck, its other tasks may include assigning work items to line employees, displaying alerts on the supervisors' screens, punching the timeclock for breaks, and possibly even employee email. To a lot of businesses, a browser based interface lets them run whatever kind of functions they want, without the expense of continually pushing a bunch of apps out to a bunch of random machines. So taking all that together, embedded XP is one (bloated) way of meeting all that.

So while the scanner itself is simple, it's the rest of the hardware in the device that was infested with XP and other malware.

Re:

[K. S. Kyosuke]

FedEx used to do these things in Forth. Given how featureful Forth software can be even in tiny amounts, I just still don't see a reason for embedded XP. But then again, what do I know, I'm a brain-damaged Wirthian/Mooreian.

Re:

[saleenS281]

It would be just as, if not easier to put a backdoor in a proprietary embedded system. Unless the companies in question both demand and inspect the entire source code for their scanners, it doesn't matter WHAT is running on them.

Re:

[sillybilly]

All I can say is "duh." Btw China is just playing catchup, just like with space exploration, and now with snooping, as every time I see Intel Inside, or AMD, guess what? It's rigged, the same way, snooping or modifying your data, and not much you can do about it. The only chip you can trust is the one you make. And the US military is dependent on all this Mitutoyo and Doosan chip based things. I'll take a mechanical dial instrument over an LCD one lately, and also a Seiko self winding mechnanical watch with

Re:

[Megol]

No. You are just paranoid.

Not really

[Anonymous Coward]

This was most likely done way before Windows XP was EOL, so blaming it on that isn't right. The big problem is that embedded software usually is closed source, hardly ever edited and almost never gets updated unless there are obvious bugs that limit functionality of the device.

embedded systems get less OS updates so any

[Joe_Dragon]

embedded systems get less OS updates / fail behind on patching so any os can be at risk.

Also does that Linux system hook into exchange / AD? Your DB? Ect?

Re:

[DarkVader]

Well, Linux versions do go EOL as well, and if it's being embedded in the device it isn't really going to matter what OS it's being embedded in.

That said, embedding Windoze is pretty dumb for no other reason than it's an absolutely craptacular excuse for an operating system.

Re:

[Anonymous Coward]

Assuming the holy mantra physical access = security gone; Even if they had the latest and greatest Windows 8.2 SP4 for Embedded or living on the edge with Arch Linux they would still have been compromised.

The attacker can take as long as he likes to figure out a way to compromise the OS, if on a time crunch simply send out a a batch of good devices while you figure out how to shaft the next batch

China-based threat actors

[Anonymous Coward]

China-based threat actors are using sophisticated malware installed on handheld scanners to target shipping and logistics organizations from all over the world [...] The Chinese manufacturer installs the malware on the Windows XP operating systems embedded in the devices.

Okay... first, is a "China-based threat actor" anything like a Chinese hacker? Or are we talking about thespians who specialize in instilling apprehension and dread, while standing on top of dinnerware? Because these are two different things.

Also... Windows XP?!? There's the problem right there. Why in the name of Bob does someone have Windows EMBEDDED in a scanner? You need a GUI to make something go "BEEP"?!? Seriously? Next you'll say that your vacuum cleaner has Windows XP embedded. Hey, look,

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Virtucon]

But still vulnerable to a ton and a half of vulnerabilities. Sure you can cut your exposure down (like no IE) but that still doesn't mean that the OS can't be attacked in other ways. You also hit the nail on the head, obsolescence and driver support. A lot of companies want to get away from XP but that means upgrading other systems and in some cases processes because there aren't one for one analogs available. That's the bigger problem, when a company gets hemmed in by the tech they may have selected de

Re:

[dna_(c)(tm)(r)]

Sometimes a driver simply isn't available for Linux, QNX, VxWorks or other embedded OSes.

That is actually the best argument to avoid such hardware. Rely on hardware that is open standards based, then you can reduce dependency on proprietary drivers

The reason they have to stay with XPe is because there probably aren't any drivers for Vista/Win7/Win8/Win8.1 So much for the benefit of reusing XP drivers

Re:

[fahrbot-bot]

Sometimes a driver simply isn't available for Linux, QNX, VxWorks or other embedded OSes.

That is actually the best argument to avoid such hardware. Rely on hardware that is open standards based, then you can reduce dependency on proprietary drivers

The reason they have to stay with XPe is because there probably aren't any drivers for Vista/Win7/Win8/Win8.1 So much for the benefit of reusing XP drivers

On the other hand, I'm sure whatever is needed could be ported to NetBSD - which can probably also run on these things, as it runs on just about everything else, including toasters [slashdot.org]. Just sayin' that there's more to wide-spread hardware portability than just XPe.

Re:

[Viol8]

"Or are we talking about thespians who specialize in instilling apprehension and dread, while standing on top of dinnerware?"

Well if they call everyone "Daaahhling!" and have endless anecdotes about how they were at the RSC with Daaahhling Larry doing a particularly evil modern day interpretation of Richard III involving hackers then that may well be the case.

Re:

[Virtucon]

Okay... first, is a "China-based threat actor" anything like a Chinese hacker?

Newspeak. [wikipedia.org]

Re: Windows 8 eraser

[peacefool]

A bad choice, obviously: it's not compatible with a WinXP pencil!

Re:

[DarkVader]

No, not "good work". And we're not going to fire any missiles at China.

The article essentially told us absolutely nothing useful.

I don't give a crap where the command and control for the malware is.

I need to know who the manufacturer is, what brands that manufacturer produces, and what specific products we're talking about.

And that's exactly what the rest of you need to know as well, because at least some of us need to know what scanners we need to find and toss in a bin. And we need to know what to look

Re:

[Kiralan]

I agree with you on the 'nothing useful' point. The linked pdf in the post was nothing more than 'Look at this serious threat' on the first page, and how wonderful the virus detection company's product was on the rest.

Backtrack the financials...

[Etherwalk]

Check for uncanny puts and calls on the market before earnings reports come out that can be traced to related parties...

Re:

[satuon]

I'd say "So they know those financials. So what?" It's not like they got the nuclear arsenal codes.

Re:

[Anonymous Coward]

Sure they do, it's 0000000

Everyone knows this.

Re:

[module0000]

You can buy your own devices with enough cash, which you get from massively profitable trades based on (stolen) insider information.

I don't think a nuclear arsenal is what they are after though..more likely they just want to take the money and run.

Re:

[saleenS281]

The US will never lose a military battle. Russia is attacking our infrastructure, China our economy. If you think this isn't a big deal, you're not getting the big picture.

The Moral?

[linearz69]

Don't buy stuff from China. It built with the bones of children AND it contains malware.

Re: The Moral?

[cormandy]

Sadly all of the handheld scanner factories in the US have since shut down.

Re:

[Mashiki]

Sounds like to me a prime opportunity to re-open one, and tout "american or canadian made" with "staff from inside the country" along with "rigorous QC."

Re:

[Anonymous Coward]

We don't know how to make chips in the US?
I think Intel and IBM would disagree.

Re:

[Anonymous Coward]

IBM? AMD? Intel? Samsung? Apple? They all make chips, and none of them are making them in China.

China is a major IP problem, and that IP problem is self-imposed by their culture. Korea and Japan also share some of this culture (Samsung vs Apple), but they're not making compromised hardware because that would absolutely kill them when their customers no longer trust their products.

Nobody has any reason to trust Chinese hardware or drivers, often the parts are counterfeit, and so are the drivers. I can name a

Re:

[romons]

Go look at existing decay images from Chernobyl, Salton Sea, and Code (California) to see how fast certain environments encroach.

I've heard of bitrot [wikipedia.org], but Code, California? Some google employee enclave? And you say it is deteriorating?

Re:

[Kasar]

We have SEH and some others growing silicon in the US, though the profits go to the parent company.
US manufacturing seems to interest Asian companies more than any US ones, they exited the US in the 80s/90s and invested heavily overseas. Even Foxconn of suicidal worker fame has been talking about opening US facilities.

Re:

[Pinky's Brain]

Well Intel still makes microprocessors and Microchip still makes microcontrollers in the US.

If you want ARM ST makes micros in Europe which is an ally, oh wait ... scratch the last one.

Re:

[DarkVader]

Slashdot is no place for your paranoid racist rant. Take it to Stormfront.

Re:

[Mal-2]

Sounds like to me a prime opportunity to re-open one, and tout "american or canadian made" with "staff from inside the country" along with "rigorous QC."

Of course! Because we all know no American agency would place backdoors or malware in a product, right?

Re:

[ComputersKai]

Only one that sure loves to protect "national security". Of course, there's also some part about a secret court and mass-surveillance, but hey, at least your, well, kind of safe! Right?

Re:

[Sporkinum]

I don't know if they are all manufacured in China, but a local company, Intermec, makes and sells scanners. They may be Chinese sourced parts though.

Awaiting the Chinese governments response

[phayes]

In 3 months when absolutely nothing has been done to identify or punish the people responsable for this:
Look! NSA Spy on you! Snowden nice guy, spend time in Hong kong running from US Government. This, little problem, everyone forget soon!

Open source.

[Karmashock]

Really we are just seeing a failure in widely used proprietary software.

Obscure proprietary software is less of a problem because hackers are less likely to attack it.

Have you forgotten?

[conscarcdr]

That China has always been our best friend. It was Frederick of Pinchfield who masterminded Operation Aurora and all the handheld scanner attacks.

Re:

[DarkVader]

[citation needed]

Seriously, if you've got evidence of this, post it. Name names.

Making vague "infected EFI" comments is utterly unhelpful.

it isn't XP, it's an ethics problem

[stokessd]

If the summary is at all accurate, the manufacture built both the hardware and the software. So blaming the OS is silly. This is a case where any OS could be used, even a custom one, and they would add the spying functionality as they were building it. The real issue is buying hardware systems from unethical folks, no OS hardening in the world will help you when the manufacture controls it.

If China doesn't improve their stand on ethics, they will be relegated to building bath toys and partial systems where their leaks and theft aren't super critical. If they hope to join the rest of the developed world, they need to get their shit together.

Re:

[itsenrique]

The problem is we have no place to be telling china to improve their hacking ethics these days.

it's not really an ethics problem

[Anonymous Coward]

Ethics are only a problem for people that are well fed and comfortable. Just saying.

Would you steal bread from the wealthy decadent neighbor if your family was starving? Would it be more ethical to let your children starve?

Contrived example, I know. But as wealth inequality gets worse, so too do these issues. If your standard of living is 2 orders of magnitude better, I'm pretty sure the people living in poverty will all heave a great sigh of pity at this injustice to your stock portfolio.

Seriously? Bat

Re:

[NotInHere]

If they hope to join the rest of the developed world, they need to get their shit together.

so, you suggest, USA ain't developed?

http://tech.slashdot.org/story/14/04/22/001239/intentional-backdoor-in-consumer-routers-found [slashdot.org]

Re:

[catgirlui]

i'm Chinese but I don/t think ethic is a big thing And in fact we are not so poor - - we are not like the Korean guys

Hypocrisy

[HughJazz]

American government officials: It's wrong for the Chinese government to engage in mass surveillance Chinese government officials It's wrong for the American government to engage in mass surveillance. Principled people with actual ethics: It's wrong for *any* government to engage in mass surveillance.

Chinese hackers

[canned]

funny how all those "Chinese hackers" who are so dumb that don't even know how to use a simple proxy to hide their IP addresses coincidentally began appearing at about the same time the US government decided China and Russia will be the new enemy. And now that China has stopped buying US treasure bonds I bet we will be hearing about new "Chinese hackers" every single day. coincidentally, NATO wants to do a conventional warfare against hackers, too. Whatta coincidence indeedy

Re:

[ComputersKai]

They probably want the U.S. to "notice" them or something, but it probably wouldn't be that easy for the U.S. to send a strongly worded cease-and-desist message that actually would make China stop their activities, at least not very soon, especially when the U.S. just lost a considerable portion of its own credibility a while ago. If the U.S. ceased exploiting our own systems, then they may just be able to pound China from a higher standpoint.

jargon

[PopeRatzo]

What the hell is a "threat actor"?

Why use jargon when "criminal" is a perfectly good word? And if this is a specific type of criminal, say a terrorist or a thief or the intelligence apparatus of a foreign country, then there are very descriptive and precise words for those as well. If it's corporate espionage, then "crook" works well, too.

Why do people who use technology feel the need to create neologisms for the most mundane things? Just the other day, I saw someone from a news web site refer to an "art