header-image

Cyber Security Experts

Blog

top feature image

Fresh Spectre Variants Come to Light

Two new speculative execution bugs have earned researchers a $100,000 bug bounty from Intel.

MIT’s Vladimir Kiriansky and independent researcher Carl Waldspurger uncovered what they call Spectre1.1 and a subset, Spectre1.2, collectively referred to as Variant 4 of Spectre by Intel and ARM. Like the original Spectre and Meltdown vulnerabilities, they can be exploited to uncover confidential information via microarchitectural side channels in Intel and ARM CPUs.

Both leverage speculative stores, the researchers said in two papers posted on Tuesday: Spectre1.1 (CVE-2018-3693) can be used to create speculative buffer overflows, while Spectre1.2 allows attackers to overwrite read-only data and code pointers to breach sandboxes on CPUs that don’t enforce read/write protections.

In both cases, the end result is the ability to get malicious code past hardcoded processor security measures – opening the door for data exfiltration. They also could provide a mechanism for further arbitrary code execution on both local and remote targets, according to the paper.

The researchers validated that Intel x86 CPUs are impacted, and ARM said that its Cortex-A57, A72, A73 and A75 processors are affected as well. The vulnerabilities are not yet patched, and the two noted that both of them can get around existing Spectre mitigations/patches that may be in place.

“These issues are likely to primarily impact operating systems and virtualization platforms [that execute untrusted code], and may require software update, microcode update or both,” said Oracle director of security assurance, Eric Maurice, in a note Tuesday.

Like all Spectre variants, the new discoveries are based on speculative memory access, causing cache allocation. Timing analysis of memory accesses can then be used to reveal data that would otherwise be kept secret.

“Variant 4 is a Spectre-type attack utilizing a CPU technology known as memory disambiguation, a technology used in high-end CPUs to enable greater out-of-order execution and higher performance,” ARM explained in an update Tuesday. “Simply put, this is a race between a store and following load that target the same memory location whereby under specific conditions, a speculative load can overtake a store, resulting in the load returning stale data.”

That data can then be used to construct an address that drives cache allocation, which in turn can be used to leak data to an attacker across a privilege boundary—like the original Spectre.

The discovery earned the researchers a cool $100,000 from Intel’s HackerOne bug-bounty program. Intel had rolled out a significant expansion of its bug bounty program in February on the heels of the original discovery of the Spectre and Meltdown variants earlier this year.

Intel said in an updated Spectre paper that there are both software mitigations for the flaws as well as operating system steps that developers can take for Windows and Linux environments.

top feature image

Multiple Bugs Found in QNAP Q’Center Web Console

Researchers found an array of high severity vulnerabilities in network storage vendor QNAP’s web console, which could enable an authenticated attacker to gain privileges and execute arbitrary commands on the system.

The web-based platform, Q’center, allows users to manage network attached storage across multiple sites. According to SecureAuth and CoreSecurity’s security advisory, issued Wednesday, Q’center version 1.6.1056 and Q’center version 1.6.1075 are impacted.

“Multiple vulnerabilities were found in the QCenter web console that would allow an attacker to execute arbitrary commands on the system,” researchers said. “QNAP’s QCenter web console includes a functionality that would allow an authenticated attacker to elevate privileges on the system.”

QNAP said in a security advisory that it has fixed the issues in Q’center Virtual Appliance version 1.7.1083 and later, and urged customers to update to the latest version.

Researchers discovered five vulnerabilities total, including an information exposure issue in an API endpoint of the web application that allows privilege escalation; and four command-injection issues in different admin functions and setting configurations.

Vulnerabilities

Researchers found the privilege escalation flaw (CVE-2018-0706) in the application’s API endpoint, which functions to return information about the accounts defined in the database.

An authenticated user can access that endpoint and view the information that is being returned, researchers said. There they can see an extra field (that’s labeled “new_password”) that contains the password for the administrator, encoded in base64.

“Any authenticated user could access this API endpoint and retrieve the admin user’s password, therefore being able to login as an administrator,” researchers said.

From there, four command execution flaws could enable an attacker to inject commands in the password input.

One of these command execution vulnerabilities (CVE-2018-0707) enables hackers to tweak the “change password” function for the administrative user.

When the admin user performs a password change, the application executes an OS command to impact the changes. Due to the flaw, the input is not properly sanitized when passed down to the OS, allowing an attacker to run arbitrary commands, researchers said.

“The API requires to send the password encoded in base64,” researchers said. “This makes a lot easier to inject command as we do not need to bypass any filters. For the admin user in the web application, there is also a backing user present on the OS.”

Once a hacker obtains the OS password from the privilege escalation vulnerability, they can modify the network configuration.

However, even beyond that, researchers discovered multiple flaws in the web console could also enable users with a “Power User” profile could also execute various functions, despite not having access in the web application interface.

This profile is also capable of modifying the SSH configuration via a command execution bug (CVE-2018-0710) in SSH settings configuration update; modifying the network configuration (CVE-2018-0708) and modifying the date configuration (CVE-2018-0709).

Core Security first notified QNAP about the flaws March 13, including a draft advisory. Researchers said other products and versions might be affected, but they were not tested.The vulnerabilities were discovered by Ivan Huertas from Core Security Consulting Services.

To update Q’Center Virtual Appliance, customers can go to qnap.com/utilities on their web browser, and download the Q’Center Virtual Appliance Patch

top feature image

Ticketmaster Breach: Just One Part of a Wide-Ranging Campaign

Ticketmaster’s announcement back on June 28 that it was the victim of a payment-card breach ‘turns out to be part of a much larger card-skimming campaign by the threat group Magecart.

A whopping 800 e-commerce sites around the world have been targeted by the crooks so far, according to RiskIQ. Further, they have been using a wide range of software partners to get at the card information.

“The target for Magecart actors was the payment information entered into forms on Ticketmaster’s various websites. The method was hacking third-party components shared by many of the most frequented e-commerce sites in the world,” researchers said in a blog posted on Tuesday.

Digital card skimmers use scripts injected into websites to steal data that’s entered into online payment forms on e-commerce sites, they explained. It was reported at the time of the Ticketmaster breach that hackers had placed one of these on various Ticketmaster websites through the compromise of a third-party functionality supplier known as Inbenta. But that turned out to be just a breadcrumb leading to a larger discovery.

“Our investigation following the Inbenta breach uncovered evidence that the Inbenta attack was not a one-off, but instead indicative of a change in strategy by Magecart from focusing on piecemeal compromises to targeting third-party providers like Inbenta to perform more widespread compromises of card data,” analysts wrote.

The firm found that the group’s tactics have resulted in successful breaches of third-party providers including Inbenta, the SocialPlus social media integration firm, web analytics companies PushAssist and Annex Cloud, the Clarity Connect CMS platform and others, it said. RiskIQ also said that as a result, it found evidence the skimmer was active on a broader range of Ticketmaster websites than previously known, including Ticketmaster sites for Ireland, Turkey and New Zealand, among others. Originally, Ticketmaster said its’ UK site was primarily impacted.

“Ticketmaster Germany, Ticketmaster Australia and Ticketmaster International (previously mentioned in the Inbenta breach) were also compromised via another completely different third-party supplier of functionality,” the firm said.

The scripts for that supplier, SocialPlus, were modified on subdomains specifically set up for Ticketmaster as a customer, according to RiskIQ. Researchers said that they observed instances in December and January where the Magecart skimmer was injected into multiple Ticketmaster websites via SocialPlus scripts.

“Currently, those scripts seem to be clean, but we do not know if either Ticketmaster or SociaPlus are aware of this breach or if they’ve had discourse with each other about it,” RiskIQ said.

Ticketmaster did not immediately responded to requests for comment.

Further, RiskIQ found that the Magecart drop servers are multi-use and skimmed data is tagged with the website from which it was stolen. These command-and-control servers have been active since December 2016 – meaning that the scope of the activity is potentially vast when taken across all possible compromises. In the case of one highly-targeted campaign that RiskIQ dubbed ServerSide, nearly 100 top-tier victims, which the firm said are “mainly online shops of some of the largest brands in the world” were infected with the skimmer software.

“We can only guess how much payment data they were able to steal [from e-commerce providers in total], but we suspect they have an immense treasure trove of payment details,” researchers said. “Magecart is an active threat that operates at a scale and breadth that rivals—or possibly surpasses—the recent compromises of point-of-sale systems of retail giants such as Home Depot and Target.”

In all, the Ticketmaster breach represents an evolution for the Magecart actors towards greater sophistication.

“Previously, they compromised individual websites and added new Javascript or links to remote Javascript files, but they seem to have gotten smarter – rather than go after websites, they’ve figured out that it’s easier to compromise third-party suppliers of scripts and add their skimmer. In some cases, compromising one of these suppliers gives them nearly 10,000 victims instantly.”

Stephen Boyer, CTO and co-founder at BitSight Technologies noted that the situation points out once again the weakness of supply chains.

“Post the Ticketmaster breach, organizations must incorporate the lessons learned,” he said via email. “This breach once again highlights the increasing vulnerability in the extended ecosystem that comes through exploitation through third parties. Businesses need to continuously assess and monitor the security posture and performance of its partners in order to gain visibility in the changing threat landscape, and to prioritize risk mitigating actions.”

top feature image

Adobe Flash Player Zero-Day Spotted in the Wild

The South Korean Computer Emergency Response Team issued a warning Wednesday of a new Adobe Flash Player zero-day spotted in the wild. The security bulletin warns that the attacks are focused on South Koreans and involve malicious Microsoft Word documents.

According to the South Korean Computer Emergency Response Team (KR-CERT), the zero-day is believed to be a Flash SWF file embedded in MS Word documents. Impacted is Adobe’s most recent Flash Player 28.0.0.137 and earlier.

“An attacker may be able to convince a user to open a Microsoft Office document, web page, or spam mail containing a Flash file,” according to a machine translation of the KR-CERT security bulletin.

Adobe released a security advisory on Thursday acknowledging the vulnerability and attacks.

“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. Adobe will address this vulnerability in a release planned for the week of February 5,” according the advisory.

Adobe said the zero-day is exploiting the vulnerability CVE-2018-4878, a critical remote code execution bug. According to Adobe it was discovered in Adobe Flash Player before 28.0.0.137. Adobe credits KR-CERT for reporting this issue.

Adobe said affected products are versions of Adobe Flash Player Desktop Runtime (Win/Mac), Adobe Flash Player for Google Chrome (Win/Mac/Linux/Chrome OS), Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Win 10 & 8.1) and Adobe Flash Player Desktop Runtime (Linux). A complete list is available here.

Simon Choi, a security researcher with the South Korean security firm Hauri, claimed on Twitter that the zero-day vulnerability originated in North Korea and has been in use since mid-November 2017. Targeted are South Koreans researching online for information about North Korea.

 

KR-CERT is recommending users refrain from using Microsoft’s Internet Explorer browser and use Mozilla’s Firefox browser instead.

On Thursday Adobe recommended:

“Beginning with Flash Player 27, administrators have the ability to change Flash Player’s behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing SWF content. For more details, see this administration guide.  Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode,” Adobe said.

top feature image

Phishing Biggest Threat to Google Account Security

Phishing Biggest Threat to Google Account Security
Phishing Biggest Threat to Google Account Security

Last year may have been mostly about ransomware, but it’s difficult to forget the billion or so passwords that were spilled in high-profile breaches and credential leaks.

Google and researchers from the University of California Berkeley attempted to ease some of that pain, and teamed up to analyze how cybercriminals operating underground markets for stolen credentials steal, use and monetize this data.

Looking at black market activity from March 2016 to March 2017 and its impact on exclusively Google accounts, the researchers said they wanted to know how the multitude of keyloggers, phishing kits and available data from publicly known breaches for sale can be turned around to learn valid email credentials and in turn control over a user’s online identity.

The news isn’t good.

In a paper presented at the recent Conference on Computer and Communications Security, Google said that between 7 percent and 25 percent of exposed passwords matched a victim’s Google account. Overall, Google and UC Berkeley estimates there are 1.9 billion usernames and passwords cultivated from breaches that are being traded on the black market. Tack on to that another 12.4 million victims of phishing kits and another 788,000 victims of commercial keyloggers and the climate is dire.

“We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s,” the researchers wrote.

Of the black markets tracked in this research, Google said there are 25,000 tools for phishing and keyloggers at attackers’ disposal. Even though attackers are failing to access Google accounts three out of four times, it’s not for a lack of effort.

“Because a password alone is rarely sufficient for gaining access to a Google account, increasingly sophisticated attackers also try to collect sensitive data that we may request when verifying an account holder’s identity,” Google said in a blog post accompanying the report. “We found 82 percent of blackhat phishing tools and 74 percent of keyloggers attempted to collect a user’s IP address and location, while another 18 percent of tools collected phone numbers and device make and model.

“By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches,” Google said.

Phishing remains one of the most successful phenomena in security, despite more than a decade of education and examples of successful attacks based on the technique.

“Hijackers also have varying success at emulating the historical login behavior and device profile of targeted accounts. We find victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user,” the researchers wrote. “In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims. This discrepancy results from phishing kits actively stealing risk profile information to impersonate a victim, with 83 percent of phishing kits collecting geolocations, 18 percent phone numbers, and 16 percent User-Agent data.”

Backing this up, the researchers found more than 4,000 phishing kits used in active attacks during the period of time studied compared to 52 keyloggers. Phishing kits are packages of all-in-one tools for creating and configuring content used in these attacks, including email and website creation. These kits generally are used to collect a victim’s username and password, but also geolocation information and a lot more. The credentials are forwarded to the attacker over SMPT, FTP or uploading them to a website. Most phishing kits—and keyloggers—are configured to steal Gmail credentials, the study said. Yahoo webmail users, however, were the biggest victims of credential leaks. Yahoo has reported that at one time all of its 3 billion users’ data has been exposed to attackers.

Google said it has already used this data to reinforce the security of Gmail.

“Our findings illustrate the global reach of the underground economy surrounding credential theft and the need to educate users about password managers and unphishable two-factor authentication as a potential solution,” the researchers wrote.

top feature image

Threatpost News Wrap Podcast for Nov. 10

Threatpost editors Mike Mimoso and Tom Spring discuss the week’s information security news, including Chris Valasek’s and Charlie Miller’s return to the security speaking rounds, a phony WhatsApp download pulled from Google Play, a deep dive into the recent cloud-based storage leaks, and the recent Tor patch for a bug leaking real IP addresses for Linux and macOS users.

Download: http://traffic.libsyn.com/digitalunderground/ThreatpostNewsWrapNov10.mp3

Music by Chris Gonsalves

Show notes:

top feature image

AutoIt Scripting Used By Overlay Malware to Bypass AV Detection

AutoIt Scripting Used By Overlay Malware to Bypass AV Detection
AutoIt Scripting Used By Overlay Malware to Bypass AV Detection

IBM’s X-Force Research team reports hackers attacking Brazilian banks are using the Windows scripting tool called AutoIt to install a remote access Trojan (RAT) capable of hijacking browser-based banking sessions.

The use of AutoIt, researchers said, reduces the likelihood of antivirus detection. Attackers are often able to sidestep AV by using an AutoIt script to compile malicious code and run it as a valid AutoIt framework process.

AutoIt is a freeware administration tool for automating system management processes via scripts.

The use of AutoIt prevents static AV detection from recognizing the malware’s hash signature, said X-Force researchers Gadi Ostrovsky and Limor Kessem who co-authored a report on the RAT Wednesday.

Once deployed, the RAT monitors the host’s browser window title bar waiting for bank names. If detected, a full-screen image or webpage blocks the victim from the real bank’s webpage. Next, the RAT “take(s) control of the victim’s endpoint and the banking session he or she may have already authenticated,” according to researchers.

“The malware’s operator remotely initiates a fraudulent transaction from the victim’s endpoint and may prompt the user to provide additional details by using the fake overlay screen,” researchers said.

X-Force researchers said Brazil has become a hotbed for financial malware and that recent uses of overlay malware highlights a trend of more sophisticated malicious code used in the region.

“In the past year, we have observed the rise of malware, such as Client Maximus and similar codes, that uses remote access with overlay screens for bank fraud operations in Brazil. Recently, we detected a remote access Trojan (RAT) malware that uses the same overall technique, but with an added twist to its antivirus evasion method,” according to X-Force.

The RAT does not have a name and its code is written in Delphi, a programming language common among hackers targeting Brazil. “These Delphi-based codes attacking in Brazil see so much code re-use there, that the malware is not defined into ‘families’ like the ones we know from the module Trojan world (Zeus, Ursnif, Dridex, etc),” said Kessem in an interview with Threatpost.

AutoIt has been leveraged several times in the past by attackers as a way to circumvent AV. Cisco Talos noted in 2015 a group of hackers had used the tool in conjunction with phishing attacks to install a RAT designed to maintain persistence on the target’s system by mimicking normal sys admin activity.

In 2013, researchers noted an uptick in malware utilizing AutoIt as a scripting language and instances of keyloggers and RATs builders developed with AutoIt being uploaded to the text storage and sharing sites such as Pastebin.

In Brazil, X-Force researchers said, overlay malware remains the preferred way to carry out attacks against banks. “As long as those types of attacks continue to serve them, threat actors are unlikely to see a need for change,” researchers wrote.

top feature image

New IcedID Trojan Targets US Banks

New IcedID Trojan Targets US Banks
New IcedID Trojan Targets US Banks

Researchers are warning users about a wave of recent attacks targeting U.S. financial institutions that leverage a new banking Trojan dubbed IcedID.

The IcedID Trojan was spotted in September by researchers at IBM’s X-Force Research team. They said the Trojan has several standout techniques and procedures, such as the ability to spread over a network and the ability to monitor a browser’s activity by setting up a local proxy for traffic tunneling.

“At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S.,” researchers wrote in a report released Monday explaining the discovery. Two U.K.-based banks are also targeted by the malware.

Similar to the TrickBot and Dridex Trojans, IcedID both webinjection and redirection attack techniques, researchers said.

“While it is still early to tell how it will fare, its current capabilities, distribution choices and targets point to a group that is no stranger to this domain,” wrote Limor Kessem, Maor Wiesen, Tal Darsan and Tomer Agayev, the X-Force researchers who co-authored the report.

They said IcedID is being distributed by the Emotet Trojan, which is used as a dropper to put IcedID on targeted systems. Emotet is known for its spam campaigns, designed to look like messages from banks, which contain malicious .zip archives.

“IcedID possesses the ability to move to other endpoints, and X-Force researchers also observed it infecting terminal servers,”  X-Force reports. “Terminal servers typically provide terminals, such as endpoints, printers and shared network devices, with a common connection point to a local area network or a wide area network, which suggests that IcedID has already been targeting employee email to land on organizational endpoints.”

To maintain persistence on hosts, IcedID creates a RunKey in the registry of the host’s Windows system that allows it to survive reboots. According to X-Force, IcedID requires a reboot to complete its full deployment. The reboot also serves as way to attempt to evade analysis via sandboxes that do not emulate rebooting, researchers said.

Once the malware components are in place the victim has their internet traffic redirected through a local proxy that the adversary controls.

“The malware listens for the target URL from the list (of financial institutions) and, once it encounters a trigger, executes a designated webinjection. The webinjection sends the victim to a fake bank site set up in advance to match the one originally requested,” researchers wrote.

That fake bank site is a “web-based remote panel” prompting a user for a username and password combination.

To thwart detection by the end user, the malware redirects traffic at the same time keeping the bank’s correct URL in the address bar. That live connection also means the bank’s correct SSL certificate always shows.

“From that point on, the attacker controls the session the victim goes through, which typically includes social engineering to trick the victim into divulging transaction authorization elements,” researchers report.

Communication between host and the attacker’s command-and-control server is via SSL.

top feature image

US-CERT Warns of Crypto Bugs in IEEE Standard

US-CERT Warns of Crypto Bugs in IEEE Standard
US-CERT Warns of Crypto Bugs in IEEE Standard

Recent academic work focused on weak cryptographic protections in the implementation of the IEEE P1735 standard has been escalated to an alert published Friday by the Department of Homeland Security.

DHS’ US-CERT warned the IEEE P1735 standard for encrypting electronic-design intellectual property and the management of access rights for such IP is flawed.

“In the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP,” US-CERT said in its alert, citing researchers that found the flaw. “Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.”

The Institute of Electrical and Electronics Engineers (IEEE) P1735 standard flaw was first reported by a team of University of Florida researchers. In September, the researchers released a paper titled Standardizing Bad Cryptographic Practice (PDF).

In all, seven CVE IDs are assigned to the flaw and document the weakness in the P1735 standard. Those CVE’s are below and include CERT’s descriptions:

  • CVE-2017-13091: improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle.
  • CVE-2017-13092: improperly specified HDL syntax allows use of an EDA tool as a decryption oracle
  • CVE-2017-13093: modification of encrypted IP cyphertext to insert hardware trojans.
  • CVE-2017-13094: modification of the encryption key and insertion of hardware trojans in any IP.
  • CVE-2017-13095: modification of a license-deny response to a license grant.
  • CVE-2017-13096: modification of Rights Block to get rid of or relax access control.
  • CVE-2017-13097: modification of Rights Block to get rid of or relax license requirement.

The CVE have a Common Vulnerability Scoring System rating of 5.7 to 6.3.

CERT warns the bugs extend to electronic design automation tools used to “synthesize multiple pieces of IP into a fully specified chip design and to provide HDL (hardware description language) syntax errors.”  Those tools, which have adopted the P1735 standard, are called electronic design automation (EDA) tools and provide a field-programmable gate array (FPGA) and debug environment.

The flawed standard has been adopted by EDA vendors such as Synopsys and its Synplify Premier tool, according to researchers. CERT warns other EDA “vendors who may be affected by the vulnerability” include Cadence Design Systems, Mentor Graphics, Xilinx and Zuken.

In addition to being able to recover entire plaintext IP, the bugs allow an “adversary (to) recover electronic design IPs encrypted using the P1735 workflow, resulting in IP theft and/or analysis of security critical features, as well as the ability to insert hardware trojans into an encrypted IP without the knowledge of the IP owner,” CERT wrote.

According to the University of Florida report, simple fixes that have come before have been inadequate. “Unfortunately, we show that obvious ‘quick fixes’ to the standard (and the tools that support it) do not stop all of our attacks. This suggests that the standard requires a significant overhaul, and that IP-authors using P1735 encryption should consider themselves at risk.”

The full impact of the vulnerability, according to the CERT warning, is that an attacker can not only recover electronic design IPs, but also a “loss of profit and reputation of the IP owners as well as integrated circuits with Trojans that contain backdoors, perform poorly, or even fail completely.”

Mitigation is limited, as CERT recommends users apply vendor updates to their EDA software, as it becomes available. “Developers of EDA software can apply suggested fixes from the researcher’s paper,” CERT said.

top feature image

Brother Printers Susceptible to Remote Denial of Service Attacks

Brother Printers Susceptible to Remote Denial of Service Attacks
Brother Printers Susceptible to Remote Denial of Service Attacks

Networked consumer and business printers manufactured and sold by Brother contain an unpatched vulnerability that can be abused by a remote attacker to cause a denial-of-service condition on the device.

Researchers at Trustwave’s SpiderLabs on Monday disclosed the issue after numerous fruitless attempts to contact Brother, including a live chat with a support person on Oct. 3, close to a month after the initial disclosure. A request for comment by Threatpost went unanswered prior to publication.

The vulnerability affects all Brother printers with the Debut embedded webserver, Trustwave said, and can be exploited with a single malformed request to the printer. Karl Sigler, threat intelligence manager at Trustwave, said the Debut web front end could be 15 years old and versions 1.20 and earlier are affected.

“From a network perspective, [an attack will] look like regular HTTP traffic hitting the printer. The attack is only sending a single request every few minutes to accomplish the DoS,” Sigler told Threatpost. “If the printer is internet accessible, that’s all an attacker would need. Otherwise, an attacker would need to gain access to the target’s network (social engineering comes to mind).”

Sigler said there are 14,989 affected devices available online, according to a Shodan search conducted by Trustwave, a small percentage of Brother printers.

“An attacker would need to be on the same network in most cases,” Sigler conceded.

An attack would be executed by sending a malformed HTTP POST request to the printer; an attacker would receive a generic 500 server error code in response indicating the server was inaccessible and unable to print.

“Unfortunately, despite multiple attempts to contact Brother about this issue, no patch appears to be pending. In order to mitigate this issue, admins are left to their own devices,” Trustwave said in a statement. “Strict access control is in order here and using a firewall or similar device to restrict web access to only those admins that need it will help to mitigate the threat here. Unfortunately, poor access control is all too common.”

In the meantime, it would appear the issue will go unpatched. Sigler said it’s likely that even if an update were produced by Brother, it would have to be manually deployed. This is an all-too-common scenario with other connected devices that lack an automated mechanism for security and feature updates. Attackers have been all too happy to exploit this issue, in other instances such as Mirai, to carry out crippled distributed denial of service attacks.

“Some people dismiss denial of service attacks as a mere nuisance, but they can tie up resources and reduce productivity at any organization. They can also be used as a part of an in-person attack on an organization,” Trustwave said. “For instance, an attacker can launch a denial of service like this one and then show up at the organization as the ‘technician’ called to fix the problem. Impersonating a technician would allow the attacker direct physical access to IT resources that they might never have been able to access remotely.”