IoT Devices at Major Manufacturers Infected With Malware via Supply Chain Attack
Three of the world’s largest manufacturers had some IoT devices running Windows 7 infected with a piece of malware in what experts believe to be a supply chain attack.
TrapX Security reported this week that it had identified a cryptocurrency miner on several IoT devices at some major manufacturers, including automatic guided vehicles, a printer and a smart TV.
Ori Bach, the CEO of TrapX, told SecurityWeek that the attacks appeared to be part of the same campaign. He said his company’s researchers discovered infections at three manufacturers, with multiple incidents recorded across over 50 sites in the Middle East, North America and Latin America.
The infections were spotted in October 2019 and the attackers targeted embedded systems running Windows 7. Windows 7 reached end of life last month, but there are still hundreds of millions of PCs worldwide that run the operating system.
The malware used in the campaign has been described as a self-spreading downloader that runs malicious scripts associated with a cryptocurrency miner named Lemon_Duck.
At one manufacturing site, the malware was found on several automatic guided vehicles (AGVs) that were running Windows 7. AGVs are used to transport materials or perform specific tasks in a manufacturing plant.
According to TrapX, “the malware spread quickly enough to be extremely disruptive.” The cybersecurity firm noted that if communications are disrupted or incorrect commands are generated by the malware, the vehicle could go off track and cause physical damage or harm people, but in this case action was taken before severe damage could occur.
An infection was also spotted on a smart TV that had a built-in PC running Windows 7. The device was connected to the manufacturing network and it provided production data to employees in charge of the production line. TrapX’s researchers determined that the attacker exploited a vulnerability in Windows 7 to install the malware on the TV and that the crypto-miner had been deployed several months earlier.
“The threat could have compromised the entire network, including other companies that had assets within both the enterprise and the manufacturing networks,” TrapX said in its report.
In another example, the malware was spotted on a DesignJet SD Pro multifunction printer, which had been used to print technical engineering drawings and which stored sensitive data related to the victim’s product line. TrapX says this device served as the entry point into the victim’s network.
“The DesignJet SD Pro scanner/printer was a core component of the manufacture; any device downtime would have caused a production delay,” TrapX said in its report.
The cybersecurity firm believes that in all of these cases the malware was installed on the devices before they reached the manufacturers.
“We believe the attack initially targeted the supply chain, and then any manufacturer that was part of the targeted supply chain was affected,” Bach told SecurityWeek.