The need to maintain security over the supply chain has been confirmed by alerts issued at the end of last week by both IBM and Lenovo. IBM has been shipping malware-infected initialization USBs for its Storwize storage systems which are used by Lenovo.
“IBM has detected that some USB flash drives containing the initialization tool shipped with the IBM Storwize V3500, V3700 and V5000 Gen 1 systems contain a file that has been infected with malicious code,” warns IBM in its alert.
Lenovo published a similar alert: “Some USB flash drives containing the initialization tool shipped with the IBM Storwize for Lenovo V3500, V3700 and V5000 Gen 1 storage systems manufactured by IBM contain a file that has been infected with malicious code. The malicious file does not in any way affect the integrity or performance of the storage systems.”
The last statement is only true so long as the infected file is not manually executed by the user. Launching the initialization copies the malware and the initialization tool to a temporary folder, but does not execute the malware itself.
This malware is not new. Detected variously as Win32/Pondre, VirTool:Win32/Injector.EG, W32.Faedevour!inf and others by different AV engines, it was detected by 57 out of 61 AV engines on Virus Total at the end of March 2017. It follows that most mainstream anti-virus products would immediately detect its presence.
USB drive models V3500-2071, V3700-2072, V5000-2077 and V5000-2078 may be infected. “IBM Storwize Systems with serial numbers starting with the characters 78D2 are not affected,” says IBM.
Lenovo recommends that users should destroy the affected drives. Users who have already used the drive should first check that their AV system has effectively quarantined or removed the malware. If it hasn’t, it can be manually removed by deleting the Windows directory %TMP%\initTool or the Mac or Linux directory /tmp/initTool; taking care to delete the directory rather than simply moving it to the Recycle Bin.
There are two primary aspects to this incident. The first is a serious embarrassment to IBM; but the most worrying aspect is that the supply chain of a company as large and prestigious as IBM can be affected. The malware itself seems to be neither difficult to detect, nor difficult to remove — but the supply chain has become a major attack vector. Both IBM and Lenovo can consider themselves lucky that it wasn’t more sophisticated new malware.
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Sysdig Launches Realtime Attack Graph for Cloud Environments
- The CISO Carousel and Its Effect on Enterprise Cybersecurity
- Venafi Leverages Generative AI to Manage Machine Identities
- Hacker Conversations: Casey Ellis, Hacker and Ringmaster at Bugcrowd
- OT/IoT and OpenTitan, an Open Source Silicon Root of Trust
- CISOs and Board Reporting – an Ongoing Problem
- Vector Embeddings – Antidote to Psychotic LLMs and a Cure for Alert Fatigue?
- The Team8 Foundry Method for Selecting Investable Startups
Latest News
- US State Department Says 60,000 Emails Taken in Alleged Chinese Hack
- Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Government Shutdown Could Bench 80% of CISA Staff
- Moving From Qualitative to Quantitative Cyber Risk Modeling
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
