A Cyber Attack was launched on 150,000 printers operating on a global note where a hacker named Stackoverflowin, it was reported in the recent past. Apparently the good news is that the hacker had done it for fun and the idea behind was to spread the awareness on how vulnerable internet connected printers are to cyber crooks.
Yet nevertheless the bad news is that the hacker can somewhat transform adversely into a more serious mode at any time thereby targeting launching of similar attacks in a more serious way in the future. Stackoverflowin first wrote an automated script and then scanned the web for any vulnerable devices running on Internet Printing Protocol (IPP), Line Printer Daemon (LPD) and port 9100 open then tricked the targeted devices with some rogue printing jobs.
Some messages passed on to the printer contained text saying “You are now part of Flaming Botnet” or “pwned”. The first message version had ASCII art which showed a computer and the second version contained ASCII art depicting a robot. Hacker also warned the printer owners to “close the port, skid” and as soon as the printer owners received the messages, they started to throng various tech portals like Reddit and Twitter for advice.
The real motive of Stackoverflowin was exposed by several, while others said that the attack was launched by a cyber team from Russia. According to the details available through Stackoverflowin’s twitter handle, the printer brands affected in this cyber attack include -Canon, Epson, HP, Brother, Samsung, and Konica Minolta along with 20 other major brands. And it was further stated by Stackoverflowin that his intension behind of such activity was merely for fun and added that he was not using his knowledge to spread hatred messages or send racist flyers thereby the only positive point in this whole hacking saga however being that he was only interested in disclosing his hacking capabilities to the outside world.
Yet nevertheless it is clearly apparent that if the hacker’s decision in exposing his skills towards negativity, printer users world wide might face a major crisis! And according to Paul McKiernan the Print Security Advisor at HP Inc., “There has been a significant increase in the number of cyber-attacks using printers as an intrusion vector”, he noted. And speaking to SC Media UK at Infosecurity Europe 2017 on 7 June McKiernan said, “We are seeing more incidents reported to us this year than last year. Just last night in Denmark, a user noticed a memory corruption error.
The device was not connect to a SIM and viewed by a SOC or it would have been seen instantaneously, nonetheless, the user spotted it and told the IT department. They were then able to execute their incident response plan, disconnect the device, go in and retrieve information and look at their monitoring to find where the attack had come from and shut down the respective attack vector. They have not got to the root cause yet.
So the right thing was done but we need it automated. It is a large private Danish company that reported the attack at the close of business last night.” He further stated. Furthermore McKiernan noted how the issue was increasingly appearing on a lot of organizations’ radars, yet however during InfoSec 2017 there had been visiting overseas ministries of defence on their stand who had been blissfully unaware that printers might be an attack vector, while a local transport organization was clearly highly aware that it was quite an uneven pattern.
It was explained that printer security faces the same threat actors that may be targeting businesses generally, looking for the weakest link in their infrastructure ingress or egress points or propagation nodes. Therefore McKiernan advised users not to think of printers as simply commoditised devices, with only the purchasing dept making decisions, but no CISOs input, and only looking at best prices; instead users should integrate their printers into mainstream cyber-security tools sensibly.
McKiernan notes that a lot of vulnerability scanning devices will not provide details on the biggest risks in print. And in terms of protecting networks fully it is necessary to know the business process and workflow of the respective organizations, including the weakest application talking to the printer. “If you are not monitoring your printers, with a CIS log going to your to your SIEM, a hacker could execute malware on the printer and not on the computer which is monitored.
It would wait until the document is printed which is a stream of data that can carry malware instructions to deploy. One-time intrusion detection scans are needed for those type of things,” McKiernan further stated. CISOs need to be aware that there is an ongoing growth in memory-based attacks. There have been reports in the media of printers with open internet connections which was identified using Shodan, and publicized by Stackoverflow in which highlighted the problem to both the potential victim and potential attacker.
Some view this action as a public service though McKiernan noted, “We do not condone it” – but by sending messages to screens of 150,000 Open Internet users, with embedded code to send a screen message, using genuine functionality, awareness of the problem is growing”. And as McKiernan observes, “It’s amazing what a security incident will do for the perspective of company management!”
Nilanthi Wickramasinghe