Criminals Can Compromise Company Networks by Sending Malicious Faxes
Check Point has revealed details about the two critical remote code execution vulnerabilities (CVE-2018-5924, CVE-2018-5925) it discovered in the communication protocols used in tens of millions of fax devices globally.
A fax number is all an attacker needs to exploit the flaws, and potentially seize control of a company or home network.
The Check Point research demonstrated the vulnerabilities in the popular HP Officejet Pro All-in-One fax printers.
The same protocols are also used by many other vendors’ faxes and multifunction printers, and in online fax services such as fax2email, so it is likely that these are also vulnerable to attack by the same method.
About Faxploit
Usually seen as outdated technology, there are over 45 million fax machines in use in businesses globally, with 17 billion faxes sent every year.
It is still widely used in several Industry sectors such as healthcare, legal, banking and real estate, where organizations store and process vast amounts of highly sensitive personal data. The UK’s National Health Service alone has over 9,000 fax machines in regular use for sending patient data. In many countries, emails are not considered as evidence in courts of law, so fax is used when handling certain business and legal processes. Nearly half of all laser printers sold in Europe are multifunction devices with fax capability.
Once an attacker obtains an organization’s fax number (which is easily obtainable from corporate websites), the attacker sends a specially created image file by fax to the target. The vulnerabilities enable malware (such as ransomware, crypto-miners or spyware) to be coded into the image file, which the fax machine decodes and uploads to its memory. The malware can then potentially breach sensitive data or cause disruption by spreading across any networks to which the fax machine is connected.
Prevent exploitation
To minimize the security risk, Check Point advises that organizations check for available firmware updates for their fax devices and apply them.
“We worked closely with HP to fix the vulnerability and, following the process of responsible disclosure, they managed to release a patch before this publication. In fact, if your device is already configured to auto-update then the patch has likely already been applied. This patch, however, only applies to HP all-in-one printers and the vulnerability may well still apply to devices from other manufacturers as well,” the researchers noted.
Businesses are also urged to place fax devices on a secure network segment separated from applications and servers that carry sensitive information.
“Once unauthorized access is gained, network segmentation can provide effective measures to mitigate the next stage of intrusion into a network and limit the spread of the attack by lateral movement across it,” they explained.
The good news is that there’s no indication that the vulnerabilities are being exploited in the wild.
“Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multifunction office and home printers,” said Yaniv Balmas, Group Manager, Security Research at Check Point. “This groundbreaking research shows how these overlooked devices can be targeted by criminals and used to take over networks to breach data or disrupt operations.
Source: helpnetsecurity
Latest Jobs
-
- Google Cloud Data Engineer
- London
- Up to £90,000 Base
-
Google Cloud Data Engineer London Salary: Up to £90,000 Base We are currently working with a leading Google Cloud partner who are currently looking for a Google Cloud Data Engineer in London. The Google Cloud Data Engineer will be responsible for projects designing and implementing data cataloguing platforms using Google Cloud. Current Experience Required: Google Cloud (MUST be Google Cloud Professional Engineer Certified and worked on recent GCP/Google Cloud Projects). Data Analytics (Data Engineering, Data Mining, Data Cataloguing etc.) Cloud PUB / SUB Candidates must be UK based and commutable to London. Candidates outside of the EU can not be sponsored Apply for more information or call Peter Georgiou on 02086634030. Ref: PG7692
-
- Microsoft Azure Sales Consultant
- London
- Up to £100,000 Base + OTE
-
DCL are currently working on behalf one of the fastest growing service providers in London who are on the lookout for a consultative Microsoft Azure Sales Consultant. The Microsoft Azure Sales Consultant will be responsible for selling (opening and closing new business opportunities new business) and being the SME in all things Cloud providing support to other members in the sales team. Preference will be given to the Microsoft Azure Sales Consultant who possesses Exceptional knowledge of Cloud Technology (Public / Private / Hybrid.). Current experience with technology such as Azure, AWS, Office 365 is required Proven sales experience of identifying and closing new business within the Cloud market. Must be currently selling into the enterprise market. Consistency on tenure in current and past roles. New business background is a must In return you will be working for a successful, growing SME organisation with excellent training and sales support from pre-sales, post-sales, project management, service management, bid management, pricing and customer service. Candidates must be UK Based. sponsorship can not be provided for this role. Reference Number: BD7690 (Cloud Sales Jobs, Cloud Computing Jobs, Cloud Computing Sales)
-
- Senior Incident Cyber Response Consultant
- London
- Up to £75,000 Base
-
Senior Incident Cyber Response Consultant with Forensic experience is needed to join a global consultancy whose cyber business unit are continuing to their investment in the growth of their team. From my perspective, as a recruitment partner, this is a particularly interesting and exciting opportunity. Not only is the team in an active growth mode, but they have varied, high profile and interesting projects for their team. Globally recognised. This is an opportunity to drive and grow a career. Experienced Senior Incident Cyber Response Consultant is needed to help take clients through the complete IR / triage process. The position is be client facing and will be expected to engage with clients at a commercial level. Proactive IR planning is also key to the position. The Senior Incident Cyber Response Consultant will not hold a sales target, but any previous experience in identifying and generating revenue is highly sort after. A broad forensic background would be highly desirable also. An ideal Senior Incident Cyber Response Consultant will be CREST CCIR, CCIM certified. Experience with forensics is highly desirable. Any of the following are very desirable also CREST Certified Network Intrusion Analyst (CCNIA) CREST Certified Host Intrusion Analyst (CCHIA) CREST Certified Malware Reverse Engineer (CCMRE) CREST Practitioner Intrusion Analyst (CPIA) An individual must be London commutable Key attributes should also include; stakeholder engagement, mentoring of team members, a collaborative working style. Technical experience must include; demonstrable experience within cyber incident response, Forensic, cyber etc. Additional certifications could / should include GIAC certified (Intrusion analyst, incident handler, forensic handler) The opportunity for an individual to conduct malware research and analysis is actively promoted. Career development and the opportunity to influence, apply today for more information or call Chris Holt on 07884666351 or 02086634030 or email chris.holt@dclsearch.com Unfortunately, our client are unable to provide sponsorship for this opportunity. Candidates must be UK based. Ref: CH7679 (Incident Response Jobs, CREST Jobs, Digital Forensics Jobs, IR Jobs)
-
- Principal Electrical Engineer
- London
- Salary: Up to £90,000 Base + Bonus
-
Principal Electrical Engineer Location: London Salary: Up to £90,000 Base + Bonus A Principal Electrical Engineer is needed for a state of the art, London based Data Centre provider. The Principal Electrical Engineer will be responsible for all of the Mechanical & Electrical components (support, development/design etc.) within our clients Data Centre’s. Other responsibilities include but not limited to; Commissioning, approving, design & review/improvement of new data centre infrastructure Commercial’s (Contract negotiation, project finances etc.) Project management Training/Development of other staff General engineering tasks Requirements HND / Degree in Engineering or equivalent. Must have current/recent experience (ideally in a senior position) within a mechanical & electrical position within a Data Centre environment Candidates must be UK based and unfortunately, our client are unable to provide sponsorship Ref: PG7600 (M&E Jobs, Mechanical & Electrical Jobs, Engineering Jobs, Data Centre Jobs, Data Center Jobs)