Manufacturers, IoT in sights of new malware campaign

Published on the 12/02/2020 | Written by Heather Wright

Lemon Duck Malware targeting manufacturers

This little yellow duckie is targeting IoT devices…

Manufacturers are being targeted by a new malware variant which is exploiting flaws in IoT devices using Windows 7, including smart printers, smart TVs and heavy operational equipment.

The malware campaign, highlighted by cyber detection technology provider TrapX Security last week, uses a Lemon_Duck PowerShell malware variant to exploit vulnerabilities, and comes as Microsoft ends support for Windows 7 – officially discontinued on January 14 2020.

TrapX says the campaign, which uses a self-spreading downloader that runs malicious scripts as part of the Lemon Duck malware variant family, has targeted a range of devices at several manufacturer sites.

“The manufacturing sector faces large challenges due to its reliance on embedded devices running legacy operating systems.”

“The manufacturing sector faces large challenges due to its reliance on embedded devices running legacy operating systems,” TrapX says. “These devices cannot be updated easily, and most often need to be replaced in order to upgrade to new, more secure operating systems.

“The existence of devices running legacy operating systems leaves these networks open to the campaign causing risks to employee safety, disruption of production and, in some cases, loss of sensitive data.”

TrapX says several of the world’s largest manufacturers have been infected.

While the malware would be quarantined on a Windows 10 system with Windows Defender Virus and Threat Protection activated, it stayed and ran on Windows 7 system even with Windows Defender activated.

The malware tries to create a slave army of crypto-miners, mining Monero cryptocurrency. The intensive mining process can affect equipment operations and trigger malfunctions, creating possible safety issues, disrupting supply chains and causing data loss.

In each of the three cases outlined by TrapX, Windows 7 un-patched vulnerabilities, including ones tied to Microsoft’s implementation of the Server Message Block protocol, were exploited as a starting point. SQL injection attacks against vulnerabilities in the MySQL database application were also launched.

TrapX claims around 200 million devices worldwide are still running the Windows 7 operating system.

The attacks were first seen in October 2019. Back then Latin American manufacturers were the focus, but that attackers are going global with companies in North America, Africa and the Middle East among those targeted.

TrapX’s report includes details on attacks via a DesignJet SD Pro Scanner/printer used for printing technical engineering drawings and containing sensitive data for the manufacturer’s product line, and an automated guided vehicle. In that instance the campaign caused confusion on the production line ‘possibly damaging products AGVs assemble’, TrapX says.

“The SOC investigated the source of infection and found it came from the supply chain as the device was infected at its original manufacturing site. A lack of Windows 7 security enabled the malware to spread rapidly.”

Other AGVs on the network were also found to be pre-infected with the malware.

“This is a common example of a supply chain attack,” TrapX says.

“Such supply chain attacks are becoming more common as outside partners and providers gain more access to systems and data. This unavoidable reality increases the risk for new types of attacks.”

Good hygiene can go a long way in helping prevent issues, however. Mitigation tips offered up by TrapX include enforcing strong password policy across all networks and subsystems, keeping systems patched and Windows virus and threat protection on, and using web gateway, endpoint and email protection technologies.

Granting the lowest privileges required for each action, increasing security awareness by educating employees and managing network shares and disabling anonymous logins are also recommended.

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow iStart to keep up to date with the latest news and views...