Malware Laced Printer Drivers – PSW #875

Paul Asadoorian

1. Expression Payloads Meet Mayhem – Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)

   One thing that sticks out is that this could be not due to a vulnerable library, but due to insecure usage of a library (vulnerable or not). This means, and is "best practice", that you can't rely on SCA to spot all of your vulnerabilities. Just because you have a vulnerable library, doesn't mean you are vulnerable. And just because you patch a library doesn't mean your safe. You must use several different processes to secure software: static analysis in your developer's IDE, unit tests that look for vulnerabilities, SCA for supply chain security, dynamic analysis, etc... It's clear there is no commitment to security in many appliance vendors. They've inherited code, which I can attest is a nightmare to maintain, but they have not adopted industry best practices for secure software development. This is just one reason they will remain a target and we've not hear the last vulnerability in this space.

2. Spies hack high-value mail servers using an exploit from yesteryear

   Kind of impressed by what old XSS exploits will get you as an attacker, which includes:

   • Steal webmail credentials (sometimes by forcing logouts and displaying fake login forms).
   • Exfiltrate contacts and email messages.
   • SpyPress.MDAEMON can steal two-factor authentication (2FA) secrets and create app passwords to bypass 2FA.
   • Some payloads set up email-forwarding rules for persistence.

   If you are glossing over XSS vulnerabilities, you must not. Patch them please?

3. Malware-infected printer delivered something extra to Windows users

   Well, it wasn't the printer, it was the printer drivers, both on USB drives and on the companies website:

   Here’s a concise summary of the article from Malwarebytes about malware-infected printers:

   • Procolored, a Shenzhen-based printer manufacturer, shipped UV printers with malware-infected software on included USB drives and via their website.
   • Reviewer Cameron Coward found that the included Microsoft Visual C++ Redistributable was flagged by Windows Defender for the Floxif virus. The company denied any issue, claiming false positives.
   • Cybersecurity expert Karsten Hahn scanned Procolored’s files and found two types of malware: Win32.Backdoor.XRedRAT.A: Gives attackers full remote control over the victim’s PC. MSIL.Trojan-Stealer.CoinStealer.H: Steals cryptocurrency by swapping clipboard addresses; attackers have already stolen about $100,000.
   • After being confronted with evidence, Procolored admitted a virus may have been introduced during USB transfers and promised to temporarily remove and scan all downloadable software. ** Begs the question: on purpose or on accident?
   • The article highlights a history of hardware manufacturers accidentally (or sometimes deliberately) distributing malware, emphasizing that even reputable brands can make security mistakes.
4. The Maker’s Toolbox: Procolored V11 Pro DTO UV Printer Review

   This is the original UV printer research. Summary: "The Procolored V11 Pro DTO/DTF UV printer, starting at $5,999, is a business-oriented machine engineered with long-term maintenance and ink costs in mind. The printer's software is crawling with viruses, but the hardware is respectable, built sturdily, and produces great print quality. The software is acceptable and allows users to tweak every parameter. Maintenance can be a pain, but the V11 Pro uses readily available heads that are easy to access. The reviewer is reluctant to recommend this printer to small businesses and serious hobbyists until Procolored proves that the virus risk has been eliminated."

5. How Hackers Weaponize Slack: Lessons From Real Slack Dump Attacks

   How Slack Attacks Happen:

   • Initial Access - Attackers gain access to a user’s device, often via malware. They harvest identity tokens from memory, bypassing Multi-Factor Authentication (MFA).
   • Lateral Movement - Using compromised credentials, attackers move through the network, escalate privileges, and deploy Remote Access Tools (RATs). Attackers extract further credentials, eventually gaining domain admin access.
   • Slack Compromise - With high-level credentials, attackers extract Slack authentication tokens from memory. They gain full access to Slack, including private channels and sensitive data.

   Security Weaknesses Highlighted:

   • Endpoint Detection & Response (EDR) Gaps: Many EDR solutions fail to detect advanced RATs or credential harvesting.
   • MFA Limitations: Memory token theft bypasses MFA.
   • Detection Gaps: Techniques like process hollowing evade security monitoring.
   • Data Exposure: Slack often contains highly sensitive business data.
6. Rogue communication devices found in Chinese solar power inverters

   Summary:

   • U.S. energy officials are reassessing security risks after discovering undocumented communication devices embedded in Chinese-made solar power inverters and batteries, which are critical components of renewable energy infrastructure123.
   • These inverters, primarily manufactured in China, connect solar panels and wind turbines to power grids and are also used in batteries, heat pumps, and electric vehicle chargers12.
   • While inverters are designed to allow remote updates, utilities typically block direct communications to China with firewalls. However, the rogue devices—such as hidden cellular radios—create additional, undocumented communication channels that could bypass these protections.
   • Experts warn that these hidden pathways could allow remote actors to disable or alter inverters, potentially destabilizing power grids, damaging infrastructure, and causing widespread blackouts. * One source described this as a "built-in way to physically destroy the grid".
   • The number of affected devices and the identities of the Chinese manufacturers involved have not been disclosed. The U.S. government has not publicly acknowledged these findings.
   • The U.S. Department of Energy (DOE) stated it is continually evaluating the risks of emerging technologies and highlighted challenges in ensuring manufacturers fully disclose all product functionalities. Efforts are ongoing to improve transparency, including initiatives like the "Software Bill of Materials"

   Thoughts:

   • This is a very high level report, no details were given to provide evidence that the backdoors found were malicious or have ever been used for malicious purposes.
   • It is super difficult to detect hardware backdoors like this
   • Backdoors that use 3G/4G communications are hard to detect and separate signal from "backdoor"
   • There must be some tie to the actual hardware and firmware if they are to use the backdoor to control the devices
   • Perhaps firmware inspection would provide details that we can test for?
7. Analyzing the Attack Surface of Ivanti’s DSM

   If you are using this software, you may want to start planning to migrate to something else:

   • Ivanti DSM is a Windows-based solution for centralized software distribution and management, used in many enterprise environments. Despite its long history and multiple ownership changes, its security architecture is not well-documented publicly. DSM will reach end-of-life in December 2026.

   Key Security Findings

   • DSM has a history of critical vulnerabilities, including local privilege escalation (CVE-2024-29821, CVE-2023-28129) and remote code execution (RCE).
   • Credential Storage: DSM stores credentials (such as privileged Active Directory accounts) in a proprietary configuration database (ICDB) on endpoints. Many of these credentials, if not properly encrypted, can be extracted and decrypted by attackers.
   • Encryption Weaknesses: Multiple custom encryption schemes are used for stored passwords. Only the latest schemes (k6 and k7) are considered secure; older schemes are easily reversible if an attacker gains access to a managed host.
   • RPC Attack Surface: DSM exposes a large set of Microsoft RPC interfaces, some of which previously allowed RCE or privilege escalation. While some vulnerabilities have been patched, the broad attack surface remains a concern.
   • Lateral Movement: Attackers with DSM console access or supervisor credentials can create and distribute software packages to any managed endpoint, enabling stealthy lateral movement within an organization.
8. Evading Defender With Python And Meterpreter Shellcode: Part 1

   Summary: "Even in 2025, Python-based shellcode loaders can bypass many AV/EDR solutions, but defenders can catch such activity with well-tuned detection rules. The blog aims to educate both red and blue teams on current offensive and defensive techniques." - We will always be in this cat-and-mouse game with malware and EDR. If you tune it right, you can catch advanced techniques. Tune it wrong and you have false positives and false negatives. This has been true for quite some time. I don't belive this is a brand new technique, but so many techniques exist for bypassing EDR its challenging to keep up and inevitably you are going to miss something.

9. Honeywell MB Secure Authenticated Command Injection

   Why are we still letting users run commands from the web management interface? There are MANY vulnerabilities in IoT devices that stem from allowing the user to run the "ping" command from the web UI. Can we just stop doing that?

10. RI considering legal action against Deloitte after cyber-breach

    Latest update on RI Bridges.

Jeff Man

1. Fashion giant Dior discloses cyberattack, warns of data breach

   No credit card information compromised...nothing to see here.

2. Coinbase confirms data breach with hackers demanding $20 million ransom

   It's really bad when the threat actor is the one notifying you of the breach.

3. Massachusetts college student to plead guilty to PowerSchool data breach

   Back in the day we used to offer jobs to kids like this.

4. Tennessee’s largest school district sues PowerSchool over data breach

   But then, someone has to pay.

Lee Neely

1. Hack of SEC social media account earns 14-month prison sentence for Alabama man

   The 25-year-old Alabama man who executed a SIM-swap attack to allow access to the Securities and Exchange Commission (SEC) account on social media platform X will spend more than a year in prison for the incident. Eric Council Jr. had pleaded guilty in February to federal charges of conspiracy to commit aggravated identity theft and access device fraud.

   This was a SIM swapping attack, highlighting the need to move to stronger authentication options. Particularly for official corporate accounts, which should use the premium/verified services as well.  Don't leave SMS as a fall-back, the attackers know how to click the "try another validation method" button as well. Note X supports an authentication app or security key as well as SMS and disabled the use of SMS for premium accounts in March of 2023.

2. CISA Adds Three Known Exploited Vulnerabilities to Catalog

   CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

   CVE-2024-12987 - DrayTek Vigor Routers OS Command Injection Vulnerability CVE-2025-4664 - Google Chromium Loader Insufficient Policy Enforcement Vulnerability CVE-2025-42999 - SAP NetWeaver Deserialization Vulnerability

3. Japanese Parliament Passes Active Cyber Defense Law

   Japanese legislators have passed a new Active Cyber Defense Law that allows the country to conduct offensive cyber operations in the hope of preempting cyberthreats. Japan tried to pass similar legislation in 2022, but it was voted down. The law allows the country's government "to analyze foreign internet traffic either entering the country or just transiting through it," but does not allow for the collection and analysis of domestic internet traffic.

   While this is designed to be in effect in 2027, there are a lot of details to be sorted out, in a relatively short timeframe. The legislation also includes fines for illegal use or leak of acquired information as well as creation of an oversight organization to monitor and approve any acquisition of data and actions to neutralize threats. A national cybersecurity office will coordinate responses to cyber threats with police and military units.

4. Printer maker Procolored offered malware-laced drivers for months

   For at least half a year, the official software supplied with Procolored printers included malware in the form of a remote access trojan and a cryptocurrency stealer. Procolored is a digital printing solutions provider making Direct-to-Film (DTF), UV DTF, UV, and Direct-to-Garment (DTG) printers. It is particularly known for affordable and efficient fabric printing solutions.

   If you have a printer, you need to both deploy the updated software and scan for XRedRAT and SnipVex. Note that removing SnipVex is more complicated and may require a system reimage.

5. Alabama state government admits attack, reveals few details

   The Alabama state government is investigating an unspecified "cybersecurity event" that it said has affected some state systems, but didn't involve the theft of citizen's personal info. The Alabama Office of Information Technology reported the incident to the public last week in a note that revealed it is working with outside cybersecurity consultants to secure and restore impacte https://oit.alabama.gov/wp-content/uploads/2025/05/May-2025-Cybersecurity-Event-5-16-UPDATE.pdf

6. Firefox Patches 2 Zero-Days Exploited at Pwn2Own Berlin with $100K in Rewards

   Mozilla has updated the Firefox browser to address a pair of critical vulnerabilities that were found last week during Pwn2Own Berlin 2025. CVE-2025-4918 is an out-of-bounds access issue in the JavaScript engine when resolving Promise objects; CVE-2025-4919 is an out-of-bounds access issue when optimizing linear sums. The flaws affect Firefox before 138.0.4 (including Firefox for Android); Firefox Extended Support Release (ESR) before 128.10.1; and Firefox ESR before 115.23.1.

   CVE-2025-4918 has a CVSS score of 7.8 while CVE-2025-4919 has a CVSS score of 8.5. Both flaws were demonstrated in the Pwn2own Berlin hacking contest last week for which they were awarded $50,000 each, which means there will definitely be copycat attacks trying to catch you before you've deployed the update which was released May 17th. https://www.mozilla.org/en-US/security/advisories/mfsa2025-36/

7. EU court rules that tracking-based online ads are illegal

   In short, the ruling is that tracking by online advertisers (aka the TCF) relies on an inadequate consent model and is therefore insufficient under the GDPR. The message is to move from surveillance-based advertising to (privacy) rights-based advertising. The case goes back to 2023, so there is an expectation that updates be made soonest to TCF/RTB as used in Europe. Even so, it's going to be a bit before that gets updated, let alone changes made to the RTB process used by companies such as Meta, Google, Amazon and X.

8. NHS IT chiefs urge vendors to pledge their cyber allegiance

   Top cybersecurity officials within the UK government and the National Health Service (NHS) are asking CEOs of tech suppliers to pledge their allegiance to sound security by signing a public charter.

   Given the number of health provider focused cyber-attacks, NHS categorizes it as an "endemic" threat, asking partners to voluntarily sign onto a minimum-security posture is appropriate. In another context we would call this flowing down security requirements. Even with a commitment to security standards, ongoing validation is still necessary. Don't assume that as business partners grow and evolve, implementing new services and onboarding new partners, their security posture remains static. You will continue to need to assess and respond to the risks of security decisions made by these partners.

9. FBI warns of fake texts, deepfake calls impersonating senior U.S. officials

   The US Federal Bureau of Investigation (FBI) has published an alert warning that criminals are impersonating government officials in phony voice and text messages. The alert says that the campaign has been active since April of this year and appears to be targeting certain people, "many of whom are current or former senior US federal or state government officials and their contacts."

   Deep Fakes are another weapon in the social engineering arsenal. Even so, the detection is the same - they are not the genuine party, and they are asking you to take action you would not otherwise perform. Verify the email, web or phone reaching out to you, don't call the offered number, lookup the number yourself.  On the flip side, insist that official mechanisms are used for business (company phone, email, chat, meeting platform) communication. The IC3 PSA below includes detection prevention and reporting advice we can all leverage. https://www.ic3.gov/PSA/2025/PSA250515

Mandy Logan

1. RI considering legal action against Deloitte after cyber-breach

   Rhode Island Attorney General Peter Neronha is considering possible legal action against state contractor Deloitte following a third-party review into a cyber-breach that put the personal data of more than a half-million Rhode Islanders at risk.

   “The state is pursuing all available remedies at this time,” Neronha spokesman Tim Rondeau told The Public’s Radio.

   Gov. Dan McKee used a Statehouse news conference Thursday to detail the findings of a review by cyber-security firm CrowdStrike, including how the breach of RI Bridges, the state’s online portal for health and human service benefits, went undetected for about five months before being discovered last December.

Sam Bowne

1. China begins assembling its supercomputer in space

   China’s ADA Space has launched the first of a planned 2,800-satellite network of AI supercomputers. “Orbital data centres can use solar power and radiate their heat to space, reducing the energy needs and carbon footprint.” The US and Europe could carry out similar projects in the future.

2. Microsoft’s Satya Nadella is choosing chatbots over podcasts

   Instead of listening to podcasts, he now uploads the transcripts to Copilot, then talks to Copilot about the content during his drive to the office.

3. How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes

   “I first looked at the admin panel secure.telemessage.com and noticed that they were hashing passwords to MD5 on the client side, something that negates the security benefits of hashing passwords, as the hash effectively becomes the password.”

   Hoping to find vulnerable JSP files, the hacker then used feroxbuster, a tool that can quickly find publicly available resources on a website, on secure.telemessage.com and archive.telemessage.com, and found the vulnerable URL, which ended in /heapdump.

   This URL provides 150-MB of heap memory, containing a snapshot of the server’s memory at the moment the URL was loaded. That data contained credentials from recent logins and plaintext chat logs. “I can read Coinbase internal chats, this is incredible.”

4. TeleMessage – Distributed Denial of Secrets

   Thousands of heap dumps taken May 4, 2025 from TeleMessage. Due to PII in the dataset and the inclusion of groups and messages unrelated to government or corporate behavior, the data is currently only being offered to journalists and researchers.

5. Trump to sign law forcing platforms to remove revenge porn in 48 hours

   Supporters have touted the 48-hour timeline as remarkably fast, empowering victims to promptly stop revenge porn from spreading widely online. Critics have attacked the 48-hour timeline as too short, warning that platforms will be rushed to remove NCII and likely censor a broader range of content online. Others say it's too long, leaving time for content to be downloaded and reposted.

6. New ‘Defendnot’ tool tricks Windows into disabling Microsoft Defender

   It registers a fake antivirus product, so Windows automatically disables Microsoft Defender to avoid conflicts. To bypass signature requirements, Defendnot injects its DLL into a system process, Taskmgr.exe, that is signed and already trusted by Microsoft.

7. OpenAI introduces Codex, its first full-fledged AI agent for coding

   Codex, in research preview, allows experienced developers to delegate rote and relatively simple programming tasks to an AI agent that will generate production-ready code and show its work along the way. It can take anywhere from one to 30 minutes to complete the task.

8. GPT-0.3: a revolutionary leap in AI—at an astronomical cost

   GPT-0.3 leaves its predecessors in the dust when it comes to solving complex, multi-step problems and navigating nuanced logic. But running just one advanced query on GPT-0.3 can cost more than $1,500. For comparison, earlier models like GPT-0.1-mini clock in at a mere $0.20 per request—a gulf that’s hard to ignore.

9. Stack overflow is almost dead

   The volume of questions asked has nearly dried up, LLMs have replaced it.

10. Malicious NPM package uses Unicode steganography to evade detection

    The package, named os-info-checker-es6, uses invisible Unicode characters to hide malicious code and Google Calendar links to host the URL for the command-and-control location.

11. France’s new laser rifle silently melts electronics at 500 meters — and Ukrainian infantry could really use it

    The power unit fits in a backpack, and its laser power is likely sufficient to blind drone optics or melt plastic protective filters with short-duration exposure.

12. ‘Aggressive’ hackers of UK retailers are now targeting US stores, says Google

    The ‘Scattered Spider’ group, who hacked M&S, a major UK retailer, is turning their attention to similar companies in the United States. They are aggressive, creative, and particularly effective at circumventing mature security programs. In 2023, hackers tied to the group made headlines for hacking the casino operators MGM Resorts International and Caesars Entertainment.