Saturday, December 09, 2017

Keyloggers in HP Drivers? Not sure, but… Healthcare? Retail? Money?

I received one of those updates from one of those lists on LinkedIn this morning. The headlines read "Keylogger found in HP Printer Driver". When I went to read the piece —keyloggers interest me —the piece had been removed from LinkedIn. The idea that the piece is removed might mean it was false, or premature… I'm not sure. What I do know is this… Key loggers are a pervasive, cancerous threat to information security and the operations that worry about it.

Yesterday during a CTAC demo for a large healthcare company, I ran a quick demo using the API. I pulled everything from every sinkhole that we monitor for anything with the word 'health' in the industry field, domain, or email address.

This one query showed 8990 records going back to 2016, 855 in 2016 —significantly lower, and 73 unique addresses being sent to 23 sinkholes.

We know of roughly 1250 sinkhole locations that capture everything from healthcare to bank accounts to porn. The idea that HP print drivers are (may be) compromised with keyloggers would not be surprising.

The idea that we can pull meta data on these sinkholes during a live demo and have findings in almost every industry both thrills me as a collector and scares the hell out of me as a security guy.

The idea that there are keyloggers in HP Print drivers? This is yet to be seen, but I'd probably speculate that many drivers are likely compromised. Remember VPN drivers under XP? Who'd have thought those would have been compromised?

Keyloggers, from an attacker perspective, are low skill high payoff attacks. Deploy, wait to be clicked, let it report back and collect the goods.

I'm keeping it short this week.
Until next time,
Have a great weekend (in the snow?)
Jeff