IBM shipped malware-laden USB sticks to unsuspecting customers by Chris Bing.
From the post:
Malware-laden USB sticks were accidentally sent by IBM to a series of enterprise customers that had purchased storage systems developed by the computing giant, according to a company advisory published last week.
An unidentified number of these drives were mailed as an installation tool for users setting up IBM Storewize V3700 and V5000 Gen 1 storage systems. IBM says that all of the infected USBs carried the same serial number: 01AC585.
An IBM spokesperson did not respond to CyberScoop’s inquiry. It remains unclear how the malware originally found its way onto the drives.
…
One upside of this story is you now know what a USB for the IBM Storewize V3700 and V5000 Gen 1 storage systems looks like.
Not that you would go out and create fake USBs for IBM Storewize V3700 and V5000 Gen 1 storage systems. Heaven forbid!
Another upside is the story acts as a reminder that you can purchase or sweat over find a new zero-day, versus taking the simpler route of getting a victim to infect themselves.
Professional DVD duplication is cheap and widespread. Recipients are unlikely to question the receipt of a “prize” DVD.
Selecting best DVD for a recipient is the real question. Pleading “responsible disclosure,” I have to omit details on ways to make that selection.
😉
The DVD route requires more preparation than phishing but unlike emails, due to sharing, malware DVDs are gifts that keep on giving.