UPDATE
Hackers have claimed that they launched yet another attack tricking hundreds of thousands of printers globally to print pamphlets promoting YouTube celebrity “PewDiePie.”
The latest incident comes on the heels of a similar hack last month. That’s when hackers claimed they commandeered 50,000 printers globally to promote Felix Kjellberg, also known as PewDiePie, a Swedish YouTuber, comedian and video game commentator.
The hackers in this latest incident, who go under the Twitter handles @HackerGiraffe and @j3ws3r, dubbed the attack on Twitterverse as #PrinterHack2.
@HackerGiraffe told Threatpost via Twitter that the number of printers that actually printed the message was “well over 250k” and the number of IPs targeted was well over 2 million.
“While the number of printers we actually know were affected can be a bit different, this wave was hitting all three protocols… IPP, JetDirect and LPD… and we got 100k just from LPD,” according to @HackerGiraffe.
The two hackers who claim be behind the attack had told the BBC over the weekend that they have hacked another 100,000 printers – although the BBC said it was unable to verify the claim.
Similar to the first hack, the message in this latest printer hack instructs the user to subscribe to PewDiePie. The back story of the campaign is that the famed YouTube personality is currently going head-to-head with “T-Series”, an Indian music record label and film company, for the top YouTube spot. Both YouTubers’ channels have at least 73 million subscribers.
The first alleged victim of the latest printer attack shared a tweet of an image of his message on Dec. 14.
https://twitter.com/nnnicogentille/status/1073563720658444289
However, the latest message now includes bullet points about “Things You Should Know,” including outlining how Port 631 ( a well-known internet printing protocol system port) is open and how printers are exposed.
https://twitter.com/Thrillka/status/1074016514804715520
According to the hacker behind the @j3ws3r handle, the hack is meant to spread awareness about printer vulnerabilities: “Again – the point of this is to point out security flaws and common points of attack IT seems to overlook,” the hacker said in a tweet.
So I have one question for you. Are you subscribed to PewDiePie yet?
More to come. More things that will break the internet (not literally).
Again—the point of this is to point out security flaws and common points of attack IT seems to overlook.While obviously spreading a meme
— Bob (@j3ws3r) December 17, 2018
One of the hackers, behind the handle @HackerGiraffe, explained that he found vulnerable three different printing protocols via Shodan (IPP, LPD, and JetDirect) with up to 800,000 vulnerable printers in total.
He then used the well known Printer Exploitation Toolkit carry out the malicious print jobs. The Printer Exploitation Toolkit gives hackers the ability to access files, damage a printer, or potentially access an internal network a vulnerable printer is connected to. In the case of @HackerGiraffe, the hacker allegedly used a bash script to run the attack against exposed printers, instructing the printer to print the message then quit. He then uploaded the script onto his server and left it running.
The alleged widespread hack sheds light on just how insecure printers are, and how precarious printer vulnerabilities could be when they offer an easy route into the enterprise network. Over the summer, researchers at Check Point highlighted a vulnerability that allowed the compromise of printers with fax capabilities when a fax is sent. And in August, HP Inc. patched hundreds of inkjet models that were open to two different remote code execution flaws (CVE-2018-5924, CVE-2018-5925).
“It’s essential that printers are not directly connected to outside network to avoid situations like this,” said Alex Bazhaniuk, co-Founder and CTO at Eclypsium, said in an email.
This story was updated at 11AM ET on Dec. 17 to reflect comments from @HackerGiraffe.
