 So the news doesn't always get all the technical details right or sometimes they're devoid of any technical details And I'm curious whenever I see something that I want to solve There's more technical information I want to know and some of it's just curiosity the other part specifically in this one how they do it and How can we stop it from happening again? And specifically we're talking about the bogus bomb threats that were sent a few weeks ago now this happened and we were called by Someone who wanted us to help investigate this so I did some tracing to try and figure out how it all happened and break it down and then talk to other tech friends I had who also had places and Had the same threats come through now They all say the same thing in the news and it's because I think it's easier to understand if they put it this way Even though it's not technically accurate. So stay police investigate bogus bomb threats sent to newspaper plant and Here's another one to fake bomb threats target Russellville Business and Church River Valley Church pawn shop target scam a bomb threat University Detroit my area here the fourth evacuation after a fax received and we're gonna get to the facts on that Facts not facts Homeland security investigating bomb threats. This was in Atlanta. Then we have Tuesday mornings bomb threat at Lawrence Memorial Hospital deemed to be a hoax this one Has a little bit of information because they said it came out on a printer. That's more accurate We're gonna get to those details bomb threat to Whitman business turn via hoax and if you search for this man You can just keep going on and on Oak Creek bombs here scam targets local businesses I mean, I'm not gonna go through every single news article Bond threat may be new trend. That's a little more accurate Bomb threat fax to Napa store not fax. Let's get the facts straight So this is the letter and it's entirety which if you want to be I know I didn't show that very long Here's the easier version to read It's in not well done English. Good morning. I'll be brief. I've installed several explosives in the building So we knew someone who got this fax and we were called in to kind of investigate this Well facts as they thought it was let's dig in deeper to what that was So this is some type of scare attack that that was used and allegedly wants you to send money to some passport number Brazilian passport The city will be drawn out of Chicago and they got some guy's name in here now if you Google the guy's name some controversial site comes up I don't know any details. He's apparently American citizen and from what little I could gather Through Google translate. He has asylum here in the US This appears to be an attack not to get money as much as to cause disruption for him because undoubtedly when you Have a bunch of bomb threats sent out and your name on it You will undoubtedly get a call from the police who are going to stop by your place and go Hey, there's these bomb threats going out with your name on it So I don't know that he said I'm I don't really know who's behind any of this But this is where the technical details get interesting So my first thoughts were when we went to his client to investigate is okay Was it a fax? No job history printer. There was no faxes received on their machine No faxes this came through is there. So then we see this file here completed SCM TIT ULO And it's got the little it's hard to see but it's got the little accent marker that's called the little tilde thing above it So here's the file name the printer when it was sent turns out the business was closed the day it was sent And no one was there and it was done that See look 11 25 p.m. Print and time. I don't know why it sat in the queue for so long anyways So here's the here's the print job and but I noticed that this was an odd name for a file It didn't take me long to figure out that the person sent this was very likely a native Portuguese Now I first thought Spanish but then after googling the guy's name really some from Brazil and Brazil They speak Portuguese. I think I'm pretty sure and I'm working on technical facts The the person who sent this was likely a Portuguese speaker who was set to Portuguese language No reason I see this because a little you know little accent and marks above the letters tell me that those are a little harder to type in But that's also Untitled one when you translate it to English as in like when you open up a new document It doesn't have a title like in a basic word or something like that Or actually word pad. I mean It'll come up with just untitled one. We've probably seen it before So then I'm like, all right There's somehow they connected to their network and did this but then once I mean this was The first I heard of it was from this customer that contacted us Then I started seeing it all over the news and I'm like, okay There's no way the same person connected to everyone's Wi-Fi now. They had an open Wi-Fi with their Printer on the same network not a good idea things have been fixed Well, you know at the client. So this you know, it doesn't happen again if this was the tech vector You know, you don't want your business equipment on the same as your open Wi-Fi that you provide to the general public that walk in the Door, but once I seen it going through the news and everything else I'm like, we got a dig further to this and this is where it gets puzzling now This is a neck gear W and R and of course like any small business. No one's managing it No one's patching it. They're not a business That's like has any type of active services. So you don't think about that They plugged in a router they bought from Best Buy and that was like five years ago It has been working fine. So they don't see any problem with it But there are a list of vulnerabilities in the firmware for the neck your neck your head several issues with some of them so This I believe has a few CVEs. I didn't pull them all in the list, but this is what concerns me turns out we have the port 80 I'm sorry that port 80 port 900 8900 and 9100. So if you're familiar with printer ports 9100 is your standard HP printer port and it's mapped open now. They are not technically savvy in this so They know that they're a vendor probably at one point because they have camera system opened up port 80 They got one of those cheap Chinese systems that could have been the vector of attack I can't even find any information on the cheap Chinese system, which was awesome It's all about five years ago. It's one of those has a generic name on it Those are known for a lot of security vulnerabilities. It seems to be functioning I don't really have any you know It wasn't going to dig deeper and see how that was hacked if it was part of the attack at all But I found it interesting that there's three entries now. They're absent in HP printers Neither one of those support HP PCL language 9100 port the RICO does but each one's mapped So something got inside their network and their computers had There's so many computers coming in off the network because it's just a general public any one of them could have been infected We didn't find anything directly on the systems that they had in there Um, they actually their systems are kind of simple because they mostly remote into a management system That they use to run their business. So there's not a lot installed on their computers Nothing was jumped out at us there at all but of course the open network thing somehow Got in here, and this is all default password, you know, hold hold your shock here that it was all left to default passwords um But it mapped the port on the printer externally We don't know when this happens because unfortunately neck gear doesn't keep a log of when firewall changes happen This is one of the reasons we you know recommend business firewalls because well, this is you know enterprise class stuff doesn't have Uh, this basic interface. It's logged. It's uh, you know track log ins and there's no default password You have to set a password. Uh, for example, like when you're using a psense firewall. Anyways, so what happened here was somehow some type of uh I'm gonna guess spyware type program mailware type program that looks for vulnerabilities in the neck gear now I would have to have some visibility I'm assuming to the inside of the network because it found these printers now Like I said, these first two printers don't support that type of printing But the rico does which means And we it's all fixed and deleted now and a firmware updated But the rico can just receive print commands because they're not authenticated from any external ip address That being said You can massively send out by scanning port 9100 A bunch of well, maybe bomb threats odd use for the time you're take to send all these out Now it's amazing because uh, the one and we'll get back to this one right here Because Tuesday morning's bomb threat to be a hoax that learns from our hospital The non network dedicated results printer So that's not a fax machine. So the same threat comes through here Clearly not a fax machine. Well, because it's a Uh, non network printer, which I think they're that's someone in the news getting some of the facts wrong again because it's Definitely a network style printer. That's how it prints. Uh, it's just they probably meant they didn't think it was internet connected And here's part of the problem too No, it guys want to admit that whoops We messed up and left printer ports open and the comments I got from other it guys that anonymously I talked to Will not be named. They told me that um, we think the last guy left all the printer ports open And I said, I don't think so. I mean, why would even an incompetent IT guy open up all the IP Ports all the printing ports externally. Don't get it. Even if they're an app that takes effort To do so the fact that they found it in one one IT guy mentioned Uh, he's an admin and they have 10 different sites that they remotely managed that were hit And they found open printer ports on those and he's like, I think the other guy did it I'm like seems odd that someone would go through the trouble of doing that So somehow the mailware did this. Uh, he did not reveal what type of hardware they're using But it could have been consumer hardware like neck gear and like I said Some people don't want to admit that they're using really basic things because well You know, it's not a great idea and this is exact result But this looks at a bigger issue. I see of this threat Wow for all the effort it took and all the disruption that this person caused just to put someone's name on it That wow for everything they did. Why wouldn't they Uh go through and do something bigger, you know, it's always like the stacking of uh threats and kind of going All right, what else could they have done because this this is where it gets scary You know, what if they would have caught been more disruptive more deceitful? I mean about that's pretty bad But it's really, you know, just kind of scary to think that you know, this person did that and what at what scale could they do Again, was this just a test, you know Was it just something malicious someone wanted to be funny? You don't know and it's super hard to trace these people because once again because they're using consumer hardware This neck gear simply doesn't have the logging facilities through what traffic passed through it so I don't even know what ip address it came from this is a Pretty old rico aficio model once again No logging it only logs the file name that was sent to it that it was sent to the printer Once again, no ip address information at all inside of it So I have no visibility to even begin to track back on it And I'm sure this is the same problem that homeland security and fbi that are investigating it are doing But this is one of those, you know instances that I wanted to talk about because I wanted to get the details right This is clearly a pretty big deal and these are just the new stories. We know about it. I mean the The craziness of just being able to put that in Uh and find a 25 000 $25 000 bond thread and see just how many news articles are related to it Is pretty wild But this is one of those things like I wanted to follow up on the news story. I wanted to follow up on What happened in the technical details that I'm hoping other technical people Share more information because I'm curious about what happened But I think I've pretty much got it But if you have some more information on this, I mean obviously cool if you have real information contact local authorities I don't think I'm disclosing anything that the that I didn't read in a newspaper except for the Part where I'm disclosing that it was not a fax. It was this but I think getting the facts straight Also helps us, you know narrow down where to look. I mean, you're assuming a fax you're running around tracing phone lines You're wasting your time. This did not come over a fax Maybe another circumstance to dib seems unlikely That's a much more difficult attack than sending out faxes because you have to deal with phone lines Internet open up the dark web ram out port 9100 and see what prints wear Because they have no real way of tracking it back. There's ones you send it this way. There's no track back They don't know the letter sounds threatening because it says we'll know if you contact a police But they don't there's not a way for them to really tell and obviously everyone contacted police good news It was a hoax. I mean, this is a pretty serious matter But it is pretty scary now the other reason for getting the facts out here is Hopefully they get fixed because this not only could happen again Let me give you some detail here. So this is showdan, which is a search engine for well exploits and Specifically it searches ip addresses and can show you the things that are open So this is port 9100, which is so you can send things to printers To give you some idea of the scale of the problem. There are currently 96,000 printers showing open. This is not a normally authenticated system So you can probably send data to um, maybe let's say even half of these. So let's say, you know 40,000 45,000 computers that were printers You could just send a print job to and these are the results from showdan scanning them. I mean, it's telling you A lot of issues. So you're talking about just starting to Send out all these print jobs and cause chaos people need to fix these things This is a problem if they don't fix it We're going to see more of this because somebody's going to play around and go I can send this thing to this many people and send it out It happened once at at a decent scale It will happen again until this gets fixed and because so many small businesses, you know, don't even know that's a problem I'm you know, hoping other it people go. Hey, this is something else to check for You know, we've checked in our clients. We recommend they replace things like old out-of-date routers and things like that Part of the challenge that I always have is a it company is we have some small clients We tell them to switch they look at the price and go it isn't broke We'll just ignore things that come through the printer You get the most generic answers because they don't want to spend any money on it But obviously this was a big disruption to a lot of people a lot of businesses and very concerning So if you're interested in content here, like and subscribe if you found this article interesting Let me know I plan on doing more hack articles and try to get up into the details because I like the Details behind it in the more in-depth in the news and I'm hoping sharing this information will be helpful to other people And as to how the hack occurred and hopefully how we can prevent it because we do not want things like this occurring It's disruptive. It's scary it, you know, it's wasting resources of our law enforcement and It's very disruptive to everyone involved and hopefully nothing bad comes You know through there to someone exploits us again before we start fixing all these problems. Thanks for watching appreciate it