Supply Chain Compromises in the News: From Scanners to Servers

Today’s breaking news uncovered by threat researchers at TrapX Security involves compromised firmware in handheld scanners being used to compromise corporate networks.  The attack appears to have used sophisticated malware embedded in the mobile scanner firmware that subsequently targeted servers inside the enterprise. According to the Dark Reading article, “A Chinese manufacturer that sells the popular devices for scanning items shipped or transported apparently has been implanting the malware in its products”.

Todd Thiemann

Todd Thiemann

This new report of a supply chain attack is something that the US Department of Defense (DOD) Defense Science Board warned about.  What I find interesting in this particular attack is 1) the supply chain approach and 2) the sophistication (malware in the handheld scanners that then launched against servers).

This attack is in a similar vein to the NSA’s Tailored Access Operations (TAO) catalog of exploits.   It is a matter of time before bad guys profit using techniques pioneered by sophisticated state actors (if they are not doing so already).

It is a small step for the attack technique using handheld scanners to be applied against servers.  For example, a compromised NIC from China gets slotted into a server and exposes an organization’s sensitive data.  

While today’s news involved handheld scanners, tomorrows news could involve other IT supply chain elements.  Enterprises need to consider validating the integrity of the components coming through their IT supply chain.  What can a savvy IT security person do to avoid these sorts of threats going against server infrastructure?  As Gartner analyst Joerg Fritsch and Mario DeBoer highlighted in recent research, you need to validate server integrity to bootstrap trust as well as consider runtime security controls.