Hackers Can Gain Active Directory Privileges Through Vulnerability in Xerox Printers

data breach, vulnerability testing, hackers
data breach, vulnerability testing, hackers

Organizations beware: last week, Xerox released a security advisory for several models of the WorkCentre Multifunction and Color Multifunction printers. Thanks to a Lightweight Directory Access Protocol (LDAP) vulnerability, hackers can launch a pass-back attack against printers with weak or default credentials. This exposes the login information of Active Directory users – including those with administrative privileges – and can be used to gain further control over an organization’s network.

Deral Heiland and Michael Belton’s research on multi-function printers  and the “Pass-Back Attack” first appeared in a document published on foofus.net. Steven Campbell, a Senior Security Consultant at Securicon, frequently finds network devices using default credentials that are vulnerable to the pass-back attack vector during client assessments and uses this attack vector to discover credentials to Active Directory service accounts.

Unfortunately, the newly reported vulnerability in Xerox WorkCentre MFP’s is just one in a series of similar weaknesses impacting today’s off-the-shelf IoT devices. In this article, we’ll explain how it can be used to gain administrative access over Active Directory domains, and what you should do to protect yourself.

How it Works: Xerox Pass-Back Attack

First – after accessing an organization’s network – a malicious or unauthorized user can gain access to the Web interface for affected Xerox printers using well-known, default login credentials. Even if the username and passwords have been changed, they may be brute-forced if they are weak and easily guessable.

Figure 1: Admin interface accessed using default credentials

Next, the actor finds an LDAP connection configured on the device and changes the Server IP address or hostname to their own IP address as shown in the next figure. Since the Xerox firmware does not require a user to re-enter or validate the LDAP credentials before changing its server address, there is nothing standing in the attacker’s way.

Figure 2: Editing LDAP Connection

Next, the attacker uses a utility like netcat to listen for incoming connections and display the output in plaintext. Using the LDAP server search field, they can search for any name and connect to the corresponding account.

Figure 3: LDAP User Search

On the actor’s system, the netcat utility receives the connection and displays credentials used by the printer to reach the Active Directory Domain Controller, including domain, username and password.

Figure 4: Capturing Plaintext Credentials

In the best-case scenario, the attacker will discover an ordinary Active Directory user account that does not belong to any privileged security groups. The attacker can still use the unauthenticated user to gain a foothold in the domain, which constitutes a moderate vulnerability.

However, our own tests on client networks demonstrate that the worst-case scenario is more likely. We frequently find that the printer service account belongs to a privileged group such as “Domain Admins,” and grants the attacker full control over the Active Directory Domain. This is a severe vulnerability which requires immediate remediation.

Are You Protected?

The table below lists Xerox printers susceptible to the attack outlined above, and the corresponding firmware patch. Devices on a lower software version are still vulnerable and should be patched using the updates provided by Xerox.

Aside from installing the latest firmware update, we recommend that organizations implement two security controls across all their networked devices to prevent similar attacks in the future:

  1. Always update default manufacturer credentials with strong passwords and use two-factor authentication (2FA) whenever possible. Recently, Barracuda network devices were impacted by an LDAP vulnerability similar to the one described in this article; all users were impacted except for those enrolled in 2FA.
  2. System administrators should avoid adding printer service accounts to privileged Active Directory groups, and – in general – they should keep the number of administrative users to an absolute minimum.

Although it should be incumbent on vendors and device manufacturers to validate users before allowing them to change crucial device settings (like LDAP IP address), the truth is that today’s vendors cannot be trusted to enforce rigorous security controls. Organizations must take the initiative to strategically protect their networks. 

Bridging the IoT Security Gap

In the past, we have talked about the IoT security gap and lax controls from hardware manufacturers. Sadly, the vulnerability covered in this article is a case-in-point: today, networked devices are being pushed to market faster than they can be secured, and security is rarely a priority in development. This leaves many organizations with blind spots in their security position as a host of seemingly benign devices (like printers) provide a wide attack surface for malicious actors.

IoT and networked devices are the future – but meeting the technological needs of your business and protecting your investment are not mutually exclusive goals. As the average cost for a data breach climbs to historical highs, organizations cannot afford to be caught off guard by easily prevented security vulnerabilities. This year insure your organization against future threats by taking inventory of your IT assets and assessing them for risk.


Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on our risk assessment framework


The IoT Security Gap, and Six Ways to Overcome It

IoT Security
IoT Security

By next year, Gartner predicts that the number of devices connected to the Internet will reach 20.4 billion. That’s up 14.1 billion from 2016 – a shocking amount of growth in a short period of time and quintuple the number of usable IP addresses that existed under IPv4.

Like thought leaders predicted a decade ago, the burgeoning Internet of Things (IoT) is outgrowing mobile phones and dominating network connectivity in both the public and private sector. Unfortunately, the more Internet connections an organization has, the more vulnerable it is to attack; but IoT vendors don’t seem to care.

While today’s IoT is more secure than the devices of yesterday, security remains little more than an afterthought for too many product developers. According to scientist Sarah Zatko, IoT vendors continue to omit basic security features out of mere complacency.  “They’re just not bothering,” said Zatko, adding that “the needle hasn’t moved much in 15 years”.

The Consequences of Insecure IoT

On one hand, the almost impossibly fast growth of IoT means that a security gap is inevitable. On the other hand, this gap has consequences which organizations cannot afford to ignore: according to research, 48% of companies have already been the victim of at least one IoT attack.

Some of these incidents are damaging enough to gain significant publicity. In 2016, the Mirai botnet propagated through open Telnet ports on 600,000 IoT devices and brought down Internet connectivity across the U.S. East Coast. Other major attacks include:

  • EchoBot – with similar source code to Mirai, EchoBot targeted popular consumer and enterprise routers using over 26 unpatched vulnerabilities. It’s spread continued into 2019, and still threatens organizations today.
  • TheMoon – in many ways TheMoon represents “peak malware,” allowing threat actors to rent out thousands of hijacked routers and modems around the world for various malicious purposes.
  • Industroyer – in 2016, the Industroyer malware targeted Ukraine’s power grid and left thousands without electricity for a few hours. In 2017, researchers concluded that points of entry had been exploited within “Industrial IoT” deployed throughout the grid.

What happened in the Ukraine is instructive. As time wears on, critical infrastructure in the United States will depend on remote access technologies facilitated by IoT or will at least be in contact with IoT devices on the same network. Current security standards leave vulnerabilities that could have devastating consequences on businesses, their customers and the nation as a whole.

Regulatory Attempts

Efforts to regulate IoT like other technologies – including cloud and storage systems for classified information – have failed on more than one occasion. In 2017, the “Internet of Things Cybersecurity Improvement Act” was proposed to Congress, but never passed.

A new version of the same bill was introduced earlier this year, with a narrower focus. If passed, it would have put the National Institute of Standards and Technology (NIST) in charge of developing security standards for IoT devices by last month – a move that many in the industry approved of. However, the act is still in limbo and no further developments have occurred.

Unfortunately, it may take a serious incident before the government is prepared to hold IoT vendors to a higher standard. In the meantime, vendors simply don’t face enough pressure from the free market to take care of the problem themselves. For now, organizations must shoulder the responsibility of securing their own devices.

Six Ways to Improve IoT Security

Fortunately, there are many ways to significantly improve IoT security within a public or private enterprise environment. Here are six:

1. Minimize device footprint – the billions of IoT devices in use today, not all serve an important purpose. Minimize the number of devices in your organization, removing the frivolous and using non-networked solutions wherever possible. Remember that any opening to the Internet creates a potential route for attackers.

2. Segment IoT from critical assets – whenever possible, keep IoT disconnected from networks used to access classified information and sensitive data. Barriers between critical and non-critical assets in your organization make it difficult for attackers to move laterally even if they gain a foothold through one opening.

3. Replace default credentials – according to the Office of Management and Budget (OMB), lack of strong authentication is one of the most common security mistakes across federal agencies. IoT devices rarely require administrators to change their weak default credentials. Ensure that every networked device in your organization is tightly secured.

4. Use two-factor authentication – in the same vein, two-factor authentication (2FA) creates an extra barrier against brute-forcing and stolen login information. Most IoT devices are compatible with 2FA, but – again – they will not prompt users to install it. Take the initiative to keep devices as secure as possible.

5. Choose high-reputation vendors – not all IoT is created equal, and some vendors have a better reputation for security than others. Research IoT vendors as part of your risk management strategy and avoid those known for past attacks, lax standards or slow firmware updates.

6. Track and test devices – tracking IT assets is an important part of any security strategy, and IoT is no exception. Track all your IoT assets, and regularly test them for strong authentication. Firmware updates sometimes include patches for known vulnerabilities, so ensure that the latest version is always installed.

Adopting a Threat-Based Mentality

While they have never been more serious than they are today, the risks of IoT have been understood for over a decade. If organizations have ignored them, it’s because they have adopted a checklist mentality: but following regulations to the tee won’t protect against threats that legislation doesn’t address.

In order to protect their data, revenue and customers, today’s organizations must take a proactive approach to security. With the help of vulnerability and penetration tests, cyber hunt and asset management, “cybersecurity” can mean a lot more than compliance: it can mean safety against malware and targeted attacks.


How Real Hackers Think, and Why it Matters

cyber warfare, hackers, cyber attacks cyber warfare
cyber warfare, hackers, cyber attacks cyber warfare

In 2019, hackers are experiencing what sea-pirates experienced in the 17th century: a golden age. And just like the British Navy used privateers to keep pirates at bay, modern businesses must use the tools and methods of hackers to prevent successful attacks.

For the past few years, data breach occurrence has steadily climbed. The average cost of a cyberattack has hit $1.7 million, and by 2021, annual cybercrime damages will reach $6 trillion – exactly when the world will have 3.5 million unfilled cybersecurity positions.

Vulnerability assessments and penetration tests are a proven line of defense against hackers as they can show where points of attack and unauthorized entry exist. But these methods are only successful with a professional touch: in order to beat hackers at their own game, an organization must be able to think like them. In this article, we’ll explain what that means.

Two Types of Attacks

The media continues to depict hackers as socially isolated trolls. But if this stereotype was ever accurate, it no longer reflects reality: hackers around the world come in many stripes, from lone professionals to organized crime groups and even governmental or military organizations.

For organizations, there are two major categories of motivation that define the attacks they can encounter.

Attacks for Effect

Some hackers aim to cause as much destruction as possible. This group may comprise amateurs who wish to gain the respect of other hackers or disgruntled current or former employees with a personal vendetta.  But also included in this group may be hacktivist groups or politically motivated attackers whose intent is to send a message – either to the site owner or to the public.  The product of their attack is to make the site a very visible billboard for their favorite cause.

But the biggest threat to organizations today comes from the second class of attacks.

Attacks for Gain

Criminals undertake hacking for reasons ranging from data theft to political terrorism to monetary gain. Far from being trolls, hackers in this class of attacks are organized, professional, well resourced, and persistent. They thrive on invisibility and may evade detection for a long time while doing their work – a persistent threat.

Since hackers in this class are the most dangerous to an organization, understanding their modus operandi is crucial to avoiding them.

How a Hacker Thinks

1. Strategic

Prior to an attack, hackers may spend months preparing, gathering reconnaissance and strategizing how to execute. During this time, they will search for points of entry by mapping an organization’s network and IT assets, its structure and procedures.

Tactics used may include,

  • Footprinting
  • Social engineering
  • Accessing public records
  • Port scanning and probing

Even with high levels of security control, hackers may dupe employees or administration into divulging critical information via phishing and social engineering. Training and compliance at all levels of an organization are therefore crucial portions of a security strategy.

2. Opportunistic

During the preparation phase, hackers search for anything that can grant them unauthorized access to a system. This means that any exploits may be used, no matter how obscure – and in fact, obscure vulnerabilities may be preferred.

Organizations have many levels of IT infrastructure that may provide a gateway for deeper penetration. So-called “non-critical” systems like internal email should not be neglected when it comes to documentation and testing. At the same time, during a vulnerability assessment or pentest, systems should be prioritized to reflect the likeliest starting point for a real-world hacker.

3. Stealthy

While trolls are interested in visibility, criminals are not. Professional hackers use a variety of techniques to keep their activities hidden from administrators and lurk within a system for years at a time:

  • Enter discretely – hackers know that obvious entrances are carefully guarded and seek out less obvious points of entry to begin an attack. Additionally, 90% of hackers use encryption to disguise their origin.
  • Persistent access – once they are inside of a system, hackers quickly try to establish a backdoor for persistent access. This way, they will always be able to return, even if the vulnerability by which they gained access is patched.
  • Move laterally – by re-entering over time, hackers advance slowly from point A to point B. This allows a careful and methodical progression from small vulnerabilities to much larger ones.

In order to keep systems secure, it’s not enough to guard the front entrance: organizations must continually scan and monitor activities on their network to detect signs of suspicious activity.

4. Goal-oriented

It should be clear by now that real-world hacking is a difficult process that requires preparation, and commitment to a long-term strategy. Every hacker therefore pursues some concrete object, such as:

  • Political sabotage – an organization may be attacked either because it is involved in political activities, because it serves the government, or its products and services are critical to a nation’s political process. In this case, hackers may aim to obstruct its daily operations by targeting mission-critical systems.
  • Data theft – today, almost any organization has a wealth of information about its customers and clients. This data can be exploited for many purposes and – wherever it is stored – attacks should be anticipated.
  • Monetary gain – hackers rarely steal money directly from their victims. But companies possess many assets which can be used for profit, including intellectual property and trade secrets.

Concerted attacks, like any other business risk, are difficult to predict, but they are not difficult to anticipate. Although cyberattacks are inevitable, they should never be viewed as inexplicable or mysterious. To protect itself, an organization should identify and monitor its most valuable assets.

5. Deceptive

Hackers will use deception in the earliest stages of their campaigns. During reconnaissance, they often trick employees into forwarding “important information” to their colleagues, which is – in reality – a phishing attack.

When they actually begin their work hackers will, moreover, use false-flags to misdirect system admins, and anyone else who may be watching. This includes targeting systems they do not really care about and using exploits that are not crucial to their end-games

Experience vs. Automation

To enforce real security, companies require experts who know how to think like hackers.  Throughout the industry, however, those who claim to do so are frequently misguided. Most pentests, for instance, are left to automated software, leaving clients vulnerable to attacks that software can’t anticipate.

Securicon is comprised by infosec veterans who have played red-team against government agencies in real-world hacking scenarios and formulated unique toolkits that money cannot buy. Our scans and assessments reflect this experience and uncover the only vulnerabilities that matter: those our clients are unaware of.

Most hackers will not work for anyone except themselves. But Securicon’s team shares the knowledge and experience of professional hackers, while aiming to protect – rather than harm – the companies they target. In the long term, we believe there is no better way to enforce security, and anything else is a compromise.