Hackers Are Spamming Businesses' Receipt Printers With 'Antiwork' Manifestos

"ARE YOU BEING UNDERPAID?" one of the manifestos read. "You have a protected LEGAL RIGHT to discuss your pay with your coworkers. POVERTY WAGES only exist because people are 'willing' to work for them."

"Someone is using a similar technique as 'mass scanning' to massively blast raw TCP data directly to printer services across the internet," Morris told Motherboard in an online chat. "Basically to every single device that has port TCP 9100 open and print a pre-written document that references /r/antiwork with some workers rights/counter capitalist messaging."

Ok but how are these receipt printers ending up with publicly routable addresses? Nearly every ISPs is gonna give you one IPv4 address and NAT everything under that. The calls would have to be coming from inside the house.

Previously, previously, previously.

Tags: , , , ,

23 Responses:

  1. "That" Guy (but he works in netsec) says:

    This is what happens when you underpay your IT guys, not so much deliberately but if you're cramming customers in mistakes get made.

    In as much as this is actually happening and not people faking for internet points.

    • jwz says:

      Most businesses that have receipt printers do not have IT guys at all. They have whatever Comcast or whoever set up, and that uses NAT.

      • ssl-3 says:

        Some ISPs have been pretty generous with assigning routable IPs to business customers. Spectrum at one point would offer 5 of them for a lot of different account types, even those that had no idea what that was. IIRC, things could also be configured so that it would issue these addresses with DHCP.

        So if the number of devices on the LAAN is fewer than 5, then there's no need for NAT. Just plug your devices straight into The Internet and things Just Work(tm).

        The world is your LAN.

        Which is actually kind of neat (and would have been fucking awesome in 1993 when the network was much more innocent), except that no NAT also tends to imply no firewall.

        A receipt printer with a static routable IPv4 address is no surprise to me at all, nor is it surprising that it has port 9100 open for the world to fuck with with zero authentication.

      • G says:

        I would not be surprised if this worked at big_chain I worked at a few years ago. The company had a /8 and every store device, including receipt printers, had a global IPv4 address. (The third octet was the store number...) Our store had no IT staff, only corporate did - but they were woefully understaffed, and based on my few interactions with them every store was very "uniquely" configured.

    • Derpatron9000 says:

      Because every coffee shop has "IT guys".....

  2. Dude says:

    The calls would have to be coming from inside the house.

    I'll be damned... Meg Elison's recent short story is coming true!

  3. Derek Schrock says:

    IPv6? I think it's default now on Comcast installs.

  4. Zygo says:

    I don't know how they're doing it, but I can think of a few ways they could be doing it.

    Some of these start by recruiting insecure Comcast or whatever boxes and dropping a port scanner agent on them to scan the private LAN segment behind the NAT box. Most of them will be an ARM Linux box running software from 2004, so it probably has as many holes as a fine Emmentaler, not counting stuff the vendor added on top. Bonus points if it's not as well-maintained as a Comcast box, which at least has a theoretical security response team behind it with the ability to do firmware updates from the ISP side. The technique has been used in the past to achieve all-IPv4-space port-scans (though I've seen a few of these with results posted and their coverage of IPs I control is...spotty at best).

    On the other hand, spamming printers is orders of magnitude easier than that. They're only interested in one port, and they don't sound like the kind of people who would put in the work required to round up thousands of flaky ARM boxes, so it's probably something much simpler.

    People might be inviting the hackers in by designating the PoS terminal host as the DMZ host, which effectively forwards every connection arriving at the public IP to the terminal host (maybe to make lazy remote admin easier?). Then as long as that host has a daemon that speaks IPP, it will find the printer on the private LAN so the hackers don't have to. It will even helpfully queue up the document if the printer is busy when the portscanner gets to it.

  5. Krunch says:

    Most are probably behind NAT but I can totally believe that dozens (as per first line in article) to thousands (as per Shodan, according to the article) of those are readily accessible from the internet, be it via IPv6 or otherwise.

  6. Alasdair says:

    Guest Wifi? If the receipt printers are on the same access point, and there's no access point isolation, then it isn't too hard to nmap the local subnet and spew stuff to up IPs.

    Or VICE made it up as clickbait.

    • Not Frank says:

      The Guest Wifi case probably applies in a lot of independent shops, at least. Back pre-pandemic I'd helped a few friends with businesses out with their wifi/network setup, and there was frequently nothing more than a consumer-grade Netgear router set up without AP isolation or guest network mode to keep the shop tech separate. I looked a little bit at making that my primary line of work, but I'd have to charge more than I was comfortable charging.

      • jwz says:

        Wardriving guest wifi is a lot more resource intensive than port scanning. And by resource intensive I mean requires pants.

  7. Penguin Pete says:

    This is the most cyberpunk story I've seen in awhile.

  8. Michael Kohne says:

    I wouldn't be shocked if the things were doing uPNP and making themselves more visible than they should - I've heard stories of regular printers doing so. I honestly can't prove that the big laser here at the office doesn't do so.

  9. Erin M says:

    I have to say that in the 25 years I've been working in the computer field, this is the first time I've ever seen spam used for something positive.

  10. Ben says:

    I joined their discord and there is no discussion of this. So either it's one guy doing it on his own, or they have better opsec than a lot of these groups.

  11. tfb says:

    The origin of the story seems to be a company called GreyNoise, and they now have a blog post about it in which they claim that it is coming over the internet.

    My guess, which I see someone else has already suggested, would be UPnP and routers set up to allow it (because obviously having a router which allows anything on the local network to say 'make this public port point at me' is never, ever going to lead to bad things happening).

  12. Eric says:

    So, SO many POSes out there are running some unpatched version of Windows XP. I'd think it would be easier to hack into those and issue a print job from there.

Leave a Reply

Your email address will not be published. But if you provide a fake email address, I will likely assume that you are a troll, and not publish your comment.

You may use these HTML tags and attributes: <a href="" title=""> <b> <blockquote cite=""> <code> <em> <i> <s> <strike> <strong> <img src="" width="" height="" style=""> <iframe src="" class=""> <video src="" class="" controls="" loop="" muted="" autoplay="" playsinline=""> <div class=""> <blink> <tt> <u>, or *italics*.

  • Previously