The term, “Advanced persistent threat” (APT), has become almost as mainstream as security breaches in everyday news. With a multitude of scary pandas, jackals, lions and spiders to constantly worry about entering your corporate network, it can be hard to understand that there are some basic commonalities required for these advanced threats to gain a foothold in your network. We’ll detail some of the adversary thought process now.
What are they looking for?
Generally, an advanced adversary does their due diligence on researching a potential target’s network architecture through open source means. While many of today’s attack vectors involve spear-phishing persons associated with the target to initially gain access, an advanced attacker does not want to continually re-exploit a user unless they are forced, as this usually increases their chances of being detected. An ideal target provides persistent access: the gold standard is a host that is powered on 24/7 and has the ability to communicate back out to the Internet by direct or indirect means.
Most people think about mail servers on their network, a corporate SFTP server, NTP, Web or data server. These all make for great targets because they’re always on, but today’s companies normally create defenses for these critical systems with firewalls, two factor authentication, custom service ports, whitelisting, access control and role-based access lists, logging, and more. All of which can certainly serve as deterrents. However, can you think of anything else besides servers that are generally powered on at all times? Consider your business and ask yourself if you ever power down the local printer near your desk. The majority of businesses leave these devices enabled.
And if you think the idea of using a printer as a form of network persistence is far-fetched, be aware that some printer vulnerabilities have already been reported publicly that are able to provide an attacker a remote shell.
One of the most overlooked but critical network services that a company provides for employees is printing. Printing services today provide a plethora of abilities far exceeding standard printing due to multi-function printers (MFPs). These devices allow scanning, faxing, storing data to a local network share, and direct emailing. Many companies are even investing in and updating to a dedicated pull printing architecture. Pull printing is where a server exists to only handle print requests and delegate print jobs to reduce network traffic internally.
Regardless of the implemented printing architecture, when you think about the information that a company printer views in a typical day — proprietary data, intellectual property, and personally identifiable information of employees — you can begin to understand why a printer might also become the target of a compromise attack. A report was recently published and discussed in an article  by Quocirca that reveals company statistics of data compromises and data leaks due to printing services. Chart 1 shows compromises related to pull printing architectures while Chart 2 shows compromises related to MFPs for the past year.
In my opinion, the more interesting statistic these charts display is the number of companies that have no idea whether or not they have experienced data compromise due to a printer in the network.
Let’s take this idea a step further…
Once an adversary foothold has been established within the network, the next attacker step is to move laterally with an end goal to obtain data from a company’s critical hosts or critical users. While many companies may have the ability to close an active attacker session in the network when detected, most fail to identify exactly how the attacker compromised a specific host in the first place. It is imperative to understand the exact entry point utilized to gain access because most likely, the attacker will come in again from the same point of persistence. This failure is magnified further with respect to printers since many responders (and tools) do not include them in their investigations. Playing “whack-a-mole”, as it is sometimes called within the industry, is not an effective way to permanently remove an unwanted third-party from a compromised network.
So what can you do?
Our suggested security solutions range from very simple printer configuration modifications to network infrastructure modifications.
- Make it a point to power down the printers at the end of the day to decrease the time available for an attack. A typical malicious actor cannot access a network through a device that is powered down.
- Change the default web management credentials of the printer to prevent unwanted logins or disable remote Web management completely if not needed. Most printers have remote Web management capabilities built into the firmware. In multiple customer engagements, I have simply logged into the Web console of the printer and been automatically given administrative access, allowing me to reconfigure scanning and emailing locations and enable insecure protocols. With administrative access, an attacker can flash firmware, install additional software, and pivot through the device.
- Implement a virtual LAN (VLAN) only for printers. This setup limits what network devices the printer can communicate with and prevents lateral movement in a network if a printer compromise occurs.
- Choose printers that only communicate and can be configured over secure protocols like HTTPS, SFTP or SSH. This can be difficult because some firmware is programmed to use clear-text communication protocols; be sure to read the technical details of the specific printer device.
- Clear printer buffers and histories often. Many printers will save copies of what was printed or scanned in memory or in a history log that anyone can view if compromised or insecurely configured. I have easily pulled proprietary company data and sensitive employee data during engagements using these additional printer features.
- Disable functions that you do not need. MFPs provide many capabilities, but if your company does not utilize some of these built-in functions, disable them.
- Do not allow firmware updates directly from the Internet. Treat a printer like a trusted employee computer and roll out updates within the network after ensuring the new firmware or patch is legitimate.
To reiterate, lessen your company’s attack surface and persistence availability by powering down printers (and other critical systems) when they are not needed. Hardening the printing service that views company intellectual property and other sensitive data on a daily basis can be a quick security win and aid in preventing expensive data leaks and future compromise. http://louellafernandes.com/2015/01/29/closing-print-security-gap/