Supply Chain Attack: IBM a Victim

Monday, May 1, 2017 @ 04:05 PM gHale

You can see it all over the industry as the potential for an attack resides within the supply chain. After all, why not infiltrate a weaker partner in a move to infect a wider range of end user victims.

That falls in line with an alert sent out by IBM and Lenovo last week as IBM said it found out it has been shipping malware-infected initialization USBs for its Storwize storage systems used by Lenovo.

Oil and Gas Security ‘Not Keeping Pace’
ARC: Open, Secure Systems Moving Forward
ARC: Take ‘Crown Jewels’ Offline
Lesson Learned: IT-OT Convergence

“IBM has detected that some USB flash drives containing the initialization tool shipped with the IBM Storwize V3500, V3700 and V5000 Gen 1 systems contain a file that has been infected with malicious code,” IBM said in its alert.

Lenovo published a similar warning, saying “Some USB flash drives containing the initialization tool shipped with the IBM Storwize for Lenovo V3500, V3700 and V5000 Gen 1 storage systems manufactured by IBM contain a file that has been infected with malicious code. The malicious file does not in any way affect the integrity or performance of the storage systems.”

Apparently, the last part of that is true as long as the infected file is not manually executed by the user. Launching the initialization copies the malware and the initialization tool to a temporary folder, but does not execute the malware itself.

This malware is not new. Detected variously as Win32/Pondre, VirTool:Win32/Injector.EG, W32.Faedevour!inf and others by different AV engines, it ended up uncovered by 57 out of 61 AV engines on Virus Total at the end of March 2017. It follows that most mainstream anti-virus products would immediately detect its presence.

USB drive models V3500-2071, V3700-2072, V5000-2077 and V5000-2078 may be infected. “IBM Storwize Systems with serial numbers starting with the characters 78D2 are not affected,” IBM said.

Lenovo said users should destroy the affected drives. Users who have already used the drive should first check their AV system has effectively quarantined or removed the malware. If it hasn’t, it can be manually removed by deleting the Windows directory %TMP%\initTool or the Mac or Linux directory /tmp/initTool; taking care to delete the directory rather than simply moving it to the Recycle Bin.

There are two primary aspects to this incident. The first is a serious embarrassment to IBM; but the most worrying aspect is that

This attack goes to show the supply chain of a company as large as IBM can end up affected. What about other huge companies? Are they just as susceptible? In this case, the malware itself seems to be neither difficult to detect, nor difficult to remove. But it does go to show the supply chain has become an attack vector.

Leave a Reply

You must be logged in to post a comment.