Security Experts:

Connect with us

Hi, what are you looking for?


Cyber Insurance

IoT Devices at Major Manufacturers Infected With Malware via Supply Chain Attack

Three of the world’s largest manufacturers had some IoT devices running Windows 7 infected with a piece of malware in what experts believe to be a supply chain attack.

Three of the world’s largest manufacturers had some IoT devices running Windows 7 infected with a piece of malware in what experts believe to be a supply chain attack.

TrapX Security reported this week that it had identified a cryptocurrency miner on several IoT devices at some major manufacturers, including automatic guided vehicles, a printer and a smart TV.

Ori Bach, the CEO of TrapX, told SecurityWeek that the attacks appeared to be part of the same campaign. He said his company’s researchers discovered infections at three manufacturers, with multiple incidents recorded across over 50 sites in the Middle East, North America and Latin America.

The infections were spotted in October 2019 and the attackers targeted embedded systems running Windows 7. Windows 7 reached end of life last month, but there are still hundreds of millions of PCs worldwide that run the operating system.

The malware used in the campaign has been described as a self-spreading downloader that runs malicious scripts associated with a cryptocurrency miner named Lemon_Duck.

Malware found on AGV

At one manufacturing site, the malware was found on several automatic guided vehicles (AGVs) that were running Windows 7. AGVs are used to transport materials or perform specific tasks in a manufacturing plant.

According to TrapX, “the malware spread quickly enough to be extremely disruptive.” The cybersecurity firm noted that if communications are disrupted or incorrect commands are generated by the malware, the vehicle could go off track and cause physical damage or harm people, but in this case action was taken before severe damage could occur.

An infection was also spotted on a smart TV that had a built-in PC running Windows 7. The device was connected to the manufacturing network and it provided production data to employees in charge of the production line. TrapX’s researchers determined that the attacker exploited a vulnerability in Windows 7 to install the malware on the TV and that the crypto-miner had been deployed several months earlier.

“The threat could have compromised the entire network, including other companies that had assets within both the enterprise and the manufacturing networks,” TrapX said in its report.

In another example, the malware was spotted on a DesignJet SD Pro multifunction printer, which had been used to print technical engineering drawings and which stored sensitive data related to the victim’s product line. TrapX says this device served as the entry point into the victim’s network.

“The DesignJet SD Pro scanner/printer was a core component of the manufacture; any device downtime would have caused a production delay,” TrapX said in its report.

The cybersecurity firm believes that in all of these cases the malware was installed on the devices before they reached the manufacturers.

“We believe the attack initially targeted the supply chain, and then any manufacturer that was part of the targeted supply chain was affected,” Bach told SecurityWeek.

Related: Zurich Announces New Cyber Insurance for Manufacturing Industry

Related: SWEED Hackers Target Manufacturing, Logistics Organizations

Related: Hackers Steal Customer Data From Manufacturing Company

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.