At DEF CON 2018, security researchers demonstrated how they were able to infiltrate networks by exploiting vulnerabilities in HP OfficeJet All-in-One printers. Named “Faxploit” by the researchers, Eyal Itkin and Yaniv Balmas, the attack involves security flaws in the implementation of the fax protocol used by the OfficeJet printers.
What are the vulnerabilities involved in Faxploit?
Faxploit involves stack overflow vulnerabilities in the implementation of the fax protocol in all versions and models of OfficeJet printers. This means that the structure that stores data on running software is vulnerable to being overloaded, which can cause it to crash. Attackers can use this as an entry point to gain access to or elevate privileges on the network and systems connected to it.
Itkin and Balmas demonstrated this at DEF CON by sending an specially crafted fax containing data that exploits the security flaws, enabling them to use the printers as a doorway into the network they’re connected to.
HP has released patches for the vulnerabilities (CVE-2018-5924 and CVE-2018-5925) and users are recommended to apply the firmware updates.
A fax number is reportedly all it takes to exploit the vulnerabilities and in turn hijack the network and systems connected to it, and infect them with malware or steal data. In their presentation, the researchers employed EternalBlue to hack into systems connected to the vulnerable network and steal data from them. EternalBlue became notorious for being weaponized to deliver various threats, including the WannaCry/WCry and Petya/NotPetya ransomware, fileless cryptocurrency-mining malware, and the Retefe banking trojan.
And while fax machines may seem like a thing of the past to many, they are still ubiquitous. In fact, 82 percent of surveyed organizations reported increasing their usage of fax in 2017, and fax machines are still widely used particularly in the healthcare industry. Also, many of today’s printers used by businesses worldwide come with faxing functionalities.
How can managed detection and response address threats like Faxploit?
Faxploit is yet another example of how unsecure devices can broaden an organization’s attack surface. Internet-of-things (IoT) devices such as printers, routers, and even internet-connected speakers are always in the crosshairs of attackers — whether to be used for zombifying other devices and launching other attacks, or as a way to hide and evade detection.
In the case of the Crysis ransomware, for instance, the malware injects trojans in connected devices such as printers and routers. This enables attackers to regain access to and re-infect the system, which can make remediation challenging. Another example is point-of-sale malware that is designed to stay as long as possible in order to steal more payment card data.
Indeed, advanced threats can affect devices that may not have protection against them (e.g., printers and scanners), enabling them to dwell for an extended period before they are detected and cleaned up. And the longer that stealthy malware dwells, the more damage it can inflict.
An effective strategy for enterprises is actively correlating network traffic with endpoint activity —something that managed detection and response (MDR) can provide, particularly to organizations without the time, resources, and full-time security teamsto actively monitor their online premises. Proactive threat correlation helps identify where the malware could be hiding, how it’s infecting systems, and if it has additional payloads, and also helps determine if the attacks have affected devices connected to them so they can be promptly remediated.
Trend Micro’s managed detection and response service allows customers to investigate security alerts without the need to hire qualified incident response staff. It provides alert monitoring, alert prioritization, investigation, and threat hunting services to Trend Micro customers. By applying artificial intelligence models to customer endpoint data, network data, and server information, the service can correlate and prioritize advanced threats. Trend Micro threat researchers can determine the extent and spread of the attack and work with the customer to provide a detailed remediation plan.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).