Fax-Based Cyberattack Puts Organization’s Networks at Risk

Standalone fax machine, fax-to-mail service and all-in-one printer fax machine are cybersecurity threats to your organization’s internal network, this according to the recent disclosure made by security researchers at Check Point.

Millions of fax machines are still being used in offices worldwide. Healthcare organizations, law firms, banking and finance companies, in particular, still rely on fax machines in sending and receiving sensitive documents. Some organizations use fax machines in sending and receiving critical documents in compliance with government regulations, while others use it for legacy reasons.

According to Check Point researchers, they’ve discovered a security vulnerability in modern-day fax machines, including fax-to-mail services and all-in-one printer fax machines, which allows cyber attackers to hack these once considered secured machines through a process called “remote code execution”.

In remote code execution, cyber attackers can access your computer, make changes to this computer, regardless of where your computer is geographically located.

How the Cyberattack via Fax Machine Works

What the attackers need to attack your office fax machine, fax-to-mail service or the all-in-one printer fax machine and eventually your organization’s internal network is only your organization’s fax number – information that’s widely available over the internet and is most probably included in the business cards of the staff in your organization.

Check Point researchers call this newly discovered cyberattack via fax machine “Faxploit”, short for fax and exploit. In Faxploit, using only the target’s fax number, the attackers send a malicious fax to the target’s all-in-one printer fax machine. Once this malicious fax is sent, the attackers can then take full control of the machine and can infiltrate the target’s internal IT network.

As a proof-of-concept, Check Point researchers sent a malicious fax that they’ve created to an HP Officejet all-in-one printer fax machine. Once the researchers took control of the all-in-one printer fax machine, the researchers then used the spying tools Eternal Blue and Double Pulsar.

Eternal Blue and Double Pulsar are part of the trove of spying tools believed to be created by the US National Security Agency (NSA) and leaked to the public by the group known as “Shadow Brokers” more than a year ago.

The infamous WannaCry attack which locked out over 300,000 computers in 150 countries in just one day on May 12, 2017 used the Eternal Blue. Double Pulsar was also used alongside Eternal Blue during the May 12, 2017 WannaCry attack.

Eternal Blue takes advantage of the security vulnerability of Microsoft’s Server Message Block (SMB) protocol – a protocol that allows computers using Windows operating systems to communicate with each other and with other devices, including the all-in-one printer fax machine. DoublePulsar, on the other hand, is a spy tool that allows attackers to drop additional malicious software (malware) on the infected computer.

Both the Eternal Blue and Double Pulsar enabled the attackers to spread WannaCry malware swiftly to other computers in so short a time.

In the case of Check Point’s Faxploit, once Eternal Blue and Double Pulsar are installed on the compromised fax machine, anything then is possible. It could be used to infiltrate other computers connected to the fax machine for data theft, locking out computers via ransomware or stealing computing power through cryptocurrency mining malware.

Faxploit is a security risk as fax machines, including fax-to-mail services or the all-in-one printer fax machines, are connected to internal networks via Ethernet, WiFi or Bluetooth.

Fax machines are also connected to a PSTN phone line in order to support the fax functionality. Being connected to the PSTN phone line allows the attackers to stage the attack on fax machines and eventually to the corporate network even if these fax machines or computer networks aren’t connected to the internet.

Fax-Based Attack Prevention

Check Point researchers said that Faxploit hasn’t been exploited in the wild. The researchers also said that they don’t intend to share with the public Faxploit’s code. “One can assume, however, that other researchers will independently develop such code eventually,” Check Point researchers said.

Prior to disclosing Faxploit to the public, Check Point informed HP about the security loophole on its machines. HP, for its part, worked on the security fix for this security vulnerability. The company issued a patchthat fixes this security exploit last August 1.

If your organization is using an HP fax machine and the update is set to automatic, this patch has likely already been applied. If automatic update isn’t set in your HP fax machine, it’s recommended to update the machine as soon as possible.

Check Point researchers limited their communication with HP as Faxploit was tested on HP Officejet all-in-one printers. The researchers said they have reasons to believe that fax machines from other manufacturers are vulnerable to Faxploit as well.

Whether your organization is using a standalone fax machine, fax-to-mail service or the all-in-one printer fax machine from HP or from other manufacturers, here are some security measures that your organization can undertake:

  • Keep your fax machine’s software up-to-date.
  • If fax functionality in the all-in-one printer fax machine isn’t used, it’s recommended to disconnect the PSTN line.
  • Practice network segmentation if your organization can’t afford to disconnect the printer-fax machine. Network segmentation refers to the practice of separating a computer or computers from a network – computers connected to each other. This practice ensures that once attackers gain access to a certain machine, the attackers won’t be able to infiltrate the rest of the network, thereby limiting the spread of the attack.

When you need help, our experts are a phone call away. Call today (416) 920-3000for a free consultation.

Leave a Reply

Your email address will not be published. Required fields are marked *