Saturday, July 17, 2010

Threat Vector: Xerox WorkCentre Pro scanned to email documents?

I was checking my security feeds this weekend and found a nice little nugget via Donna’s SecurityFlash

Seems the Tech Herald’s offices got hit with an email scam claiming to have a file sent by a local Xerox WorkCentre Pro multifunction device.

More and more organizations are deploying these devices than can function as a fax, copier, network printer, and scanner resource.  By combining multiple features in a single networked device, I’m sure businesses are hoping to leverage cost savings and production efficiencies to their employees.

Overall, while they can be an IT management headache to manage, configure, monitor, update, and support…that’s why the company pays the vendors and IT department all those big bucks we see monthly, right?

Anyway, a quick examination of the email set of warning signs…the scanned document was presented as a “ZIP” compressed file, rather than as a more common PDF file (or TIFF or XPS format as mentioned).  Plus the message body didn’t quite match.

When the attachment embedded in the ZIP file was unpacked and scanned with malware tools, it was flagged immediately as a trojan in Microsoft Security Essentials though, as Steve points out, many other vendor scans via Virus Total at the time didn’t identify it as such.

Using emails as a malicious infection-vector isn’t new by any means.  However, with the increase in these multi-function devices to workplace environments, coupled with many employees receiving little to no training, the risks seem higher.

Image the following scenario.

Users at the mythical industrial leader CorporationX (I just made that up) recently have a similar multi-function device installed across their organization.  Besides network printing, they do experience great buy-in upon learning of the “scan-to-email” feature.  Previously only certain executives and their administrative-support pool had access to document scanners.  Now they can all digitize hard-copy material simply by placing it on the machine, selecting the scan-to-email feature, and putting in their email address.

Automagically when they go back to their desk, there is a standard email with their PDF document waiting!

Who wouldn’t like the idea of being freed from hard-copy handling and moving finally to the digital world?

Only in this case, multiple administrative and executive users at CorporationX got an email from a Xerox system that they themselves didn’t initiate/scan to themselves.  No matter.  It looks legit and because the default setting allows the email to go out with a generic “From” Xerox sender, a few of them figure that maybe one of their peers was copying them in (you can enter other email address names besides your own when sending the scanned document).

Must be some important corporate info!

Better open it up and take a peek immediately!

Strangely, Adobe Reader opened the document, flashed briefly then closed.  Then reopened with a document that had nothing to do with CorporationX.

Oh well, think all the users, someone must have scanned in the wrong document…

Unfortunately, the email (like that received by The Tech Herald) was in fact, not sent from within CorporationX but was a spoofed/forged email.

Embedded within this PDF was specially crafted exploit code that ended up dropping a root-kit/trojan on the system.  Now CorporationX was serving its secrets right out the back door.

It wasn’t until an IT team-member also received the email, questioned the authenticity and first checked the message header code that they discovered the email had been spoofed and came from an external source, and not from a CorporationX Xerox device. 

Additional investigation found the PDF was in fact embedded with malicious code, and off-line scans of some sample corporate field systems did find evidence of the root-kit/trojan.

So a formal incident-response kicked off and the migraines began for CorporationX as they now tried to determine what corporate info had leaked and what the damage might be and starting trying to find infected systems across the thousands they manage.


Still don’t believe an unsolicited/spoofed PDF attachment is a potential threat vector?

And I would be remiss to mention all of Didier Stevens’ extremely detailed work on PDF exploit research in the same breath.

To be very clear, I’m not at all positing that Xerox WorkCentre systems are bad or a threat (they are in fact just one manufacturer/model of many such option-capable devices in this crowded office-machine category). No I am not picking on Xerox in particular, all such scan-to-email devices can lead to the same complacency and attack vector via email spoofing.

Pretty useful things, they are.  However, their ubiquitous nature (it’s just a fancy copy machine) and the fact that the default configuration sends messages that are so cookie-cutter standardized, really sets up users for some social-engineering FAIL.  How can one expect the average user to first authenticate that the message is valid and legitimate if they are sending them daily to themselves safely, and others can include them as well?  And no one is adding their personal “From” identification into it?

Couple that with the potential threats from malware-hacked PDF file exploits (even more so if the Adobe Reader versions installed haven’t been updated/patched in a very long time) and it could be a nightmare.

I’m still not sure about solutions…disabling scan-to-email and using the more administratively managed “scan-to-mailbox” feature might be one method, or putting in place policy that requires users who do scan such documents to manually put in a valid identifying word or phrase in the subject line, or requiring them to put in their own corporate email address rather than using the default machine one might be a start.  Perhaps a more detailed system deployment that changes the default Scan to Email configuration so that a custom “WorkCentre Email address” name is used that better legitimizes the email notices by checking the “From” field on emails supposedly sent from the corporate device(s)?  Or even the “signature” line?  Check out this Scan to Email (PDF…I know…) quick configuration guide for some of the customization options available on many Xerox WorkCentre systems.  Please do something, anything, to make your internal scanned emails special and identifiable to your employees as being more legitimate.  That will help set the spoofed ones apart much more clearly from your users.

That’s not to say that end-user education, a strong A/V software solution installed on the user system desktops, security software that scans attachments at the email server level, and an IT policy that ensures Adobe Reader is kept current and patched also would be good practices.

I personally get a few “unsolicited” PDF’s scanned from Xerox systems in my email a week.  And I promise you, I check them all very carefully before actually opening the attachment.

So far I’ve not seen any such malware personally, but I think an ounce or two of caution is a Good Thing in this case.

Constant Vigilance!

--Claus V.

No comments: