According to Vectra, a security research firm, you can weaponize any one of these printers to push malware all thanks to a Windows flaw that goes back almost 20 years. The method is pretty simple, you hack the printer and replace one of the driver DLLs with something that contains a backdoor. On most printers there is a hidden share that contains the drivers for immediate installation without the need for media. These files transfer over SMB so downloading and uploading are not that difficult to accomplish. Once the file has been replaced everything is set. When a new computer connects it downloads and runs the driver using system credentials and you are golden.
This hack also applies to Windows and Linux print servers which can be used to push out malware as long as you have access to the folders where the drivers are stored. Of course in almost every breach the attackers are working toward domain admin credentials so it is likely that they will have this access pretty quickly. All of this hacking goodness is provided to you thanks to the Windows Point and Print service. Vectra points out why something like this would be done.
“this is where Point-and-Print showed up. This approach stores a shared driver on the printer or print server, and only the users of that printer receive the driver that they need. At first glance, this is a practical and simple solution to driver deployment. The user gets access to the printer driver they need without requiring an administrator – a nice win-win.
The problem is that for this scheme to work nicely from an end-user perspective, an exception was required. Normally, User Account Controls are in place to warn or prevent a user from installing a new driver. To make printing easier, an exception was created to avoid this control. So in the end, we have a mechanism that allows downloading executables from a shared drive, and run them as system on a workstation without generating any warning on the user side. From an attacker perspective, this is almost too good to be true, and of course we had to give it a try.”
What makes this even more interesting is that in a check of recent breach information (what was available) we found that print servers were often attacked very early on in the process. If this related to pushing out malware or not is unclear, but we have seen where the shares available on the print servers have been used to stage data and as an exfiltration point. Now we may see printers attacked directly in an attempt to spread malware or remote tools into an organization during an initial attack or later in an attack to automate lateral movement.
Microsoft has a patch for this issue available now and Vectra also has some remediation steps available on the write up about this flaw. We highly recommend you check this out and patching as soon as possible. We also recommend that you check your printers and lock down unneeded protocols and access to the admin pages before those cool and convenient printers are used to infect your network.