Holding the attack in your hand, how organization’s ERP systems are the target of Zombie Zero

Picture someone walking around a section of your business and simply scanning your business critical data, financial records and other ERP information away. It sounds like something out of Star Trek, but in a report published by Antone Gonsalves on CSO Online this has already happened to at least half a dozen large European and US Companies.

What happened? These companies all bought scanners from the same Chinese company for use in their shipping departments. These scanners were later discovered to have malware installed on them and when the scanners where connected into the businesses network and operated the malware was activated. This targeted malware, dubbed Zombie Zero, consisted of the three stage attack.

Stage one had the scanner look for and try to compromise any server with the word ‘finance’ in the host name. This searching and compromising activity would continue until the malware discovered and compromised the host, which each time was an ERP system. At this point stage two would begin.

Stage two involved the download of additional malware to the scanner that would establish a bridge between the compromised ERP system and command and control (C&C) servers that have been reported to be located in Shandong Province, China. In fact the reports specifically identify Lanxiang Vocational School as the location of these C&C servers. This school trains computer scientists for the Chinese military. In 2010, it was linked to cyber-attacks, dubbed Operation Aurora, against dozens of organizations, including Google, Yahoo, Northrop Grumman, Morgan Stanley and Dow Chemical.

At this point stage three was launched; which involved the transfer and execution of even more malware to create a more sophisticated connection to a new set of C&C servers. This connection was used to copy data out of the ERP servers. This allowed the attackers to gain “complete situational awareness and visibility into the logistic/shipping company's worldwide operations”. With the potential to gain access to any other data stored in the ERP systems or in other systems with a relationship with the compromised ERP systems.

In summary, malware on a trusted hardware supplier allowed the attack to originate from inside the network. The traditional view of the attacker existing solely outside a corporations network and having to compromise the external facing firewalls or having to launch email born attacks in order to gain a foothold in a network no longer holds true. Now attackers are planting code in hardware devices you are installing inside your network; in the same way that PF Chang’s customers were compromised because credit card reading devices had malware placed on them.

None of this software is installed on your common workstations and servers, there is no antivirus software that runs on a scanner. In addition according to the original report by TrapX (requires registration) the compromised companies had traditional defensive technologies, including general IDS systems. The current advice resulting from these breaches is to vet the manufacture of all your custom and non PC/Server hardware and software. However this requires very specialized skills, to analyze firmware and hardware for new malware and malicious capabilities.

Another way to prevent this would be to measure and understand the security posture of your ERP systems. Using ERP aware security assessment and audit software measure the attack surface and vulnerabilities means you can intelligently categorize and prioritize the risk and produce a meaningful plan to reduce or eliminate this risk.


Here at Onapsis we would love an opportunity to show how our technology can be run from any point on your network, showing the level of exposure and risk to your ERP systems from guest, operations, contractor and any other vantage point on your network. Contact us today about our trial software.

Leave a comment