In a security alert posted on its support site, IBM is warning customers who purchased IBM Storwize storage products that the USB drives containing the initialization tool for the systems may be infected with malicious code.
The malware has been identified as a variant of the Reconyc (aka Pondre) malware family, a trojan primarily designed to download additional malicious payloads.
Launching the installation tool from infected USB drives creates a copy of both the tool and the malware in a temporary folder on the customer's hard drive. The folder is named %TMP%\initTool on Windows systems and /tmp/initTool on Linux and Mac systems.
IBM stresses that the malware does not execute during that process, so the good news is infection isn't automatic.
As long as the malware is on the device, however, the potential of infection is there. For that reason, IBM recommends deleting the temporary folder and either reformatting or securely destroying the USB flash drive so it can't be reused.
According to IBM, USB drives shipped with the following Storwize models may have the malware installed:
IBM Storwize V3500 - 2071 models 02A and 10A
IBM Storwize V3700 - 2072 models 12C, 24C and 2DC
IBM Storwize V5000 - 2077 models 12C and 24C
IBM Storwize V5000 - 2078 models 12C and 24C
Lenovo also issued a similar alert for the following models branded as "IBM Storwize for Lenovo":
IBM Storwize for Lenovo V3500 - 6096 models 02A and 10A
IBM Storwize for Lenovo V3700 - 6099 models 12C, 24C and 2DC
IBM Storwize for Lenovo V5000 - 6194 models 12C and 24C
The USB drives have the part number 01AC585 (pictured below).
The initialization USB flash drive shipped with IBM Storwize products. / IBM
How did this happen?
IBM has yet to shed any light on how the malware ended up on the USB drives. For Lenovo, it's the second time in two months a product was shipped to customers with malware installed. In March, news broke that 38 Android smartphones from Lenovo, Samsung, and others had been infected with malicious code at some point during the supply chain and manufacturing process.
Why USB drives are a particularly dangerous attack vector (and how malware deployed via USB drives can be stopped)
Even for those who aren't Storwize customers, this serves as a reminder that organizations need to be prepared for attacks that originate via flash drives.
While the vast majority of malware arrives on systems via email attachments or web-based attacks, USB drives still offer attackers a devestatingly direct delivery vehicle for infecting victims.
That puts the pressure of recognizing and stopping the malware directly on the shoulders of endpoint security, and with malware authors continuing to outpace and evade antivirus detection, that means organizations need another layer of defense.
Because Barkly's runtime malware defense (RMD) recognizes and blocks malicious activity in real-time, it protects organizations from malware no matter how it is delivered — via phishing, an exploit kit, or even a USB.
In this case, that means even if the Reconyc trojan pre-packaged on these USB drives is executed, Barkly customers are protected.