SnipVex clipjacking wallets is almost beside the point, the real failure is a printer vendor treating software like a side gig. Printer and hardware companies get a pass on basic infosec hygiene that would be unacceptable for open source maintainers.
until that changes, airgap your weird hardware setups I guess
Also this is a perfect storm for lateral movement. USB-borne worms still work frighteningly well in small biz environments, especially ones with no centralized IT and people plugging printers directly into Windows desktops with admin perms. Here SnipVex is just a cherry on top-a nice, opportunistic payload for the growing class of infostealers targeting crypto wallets
mcv · 4m ago
Unintentionally spreading malware is bad enough, but blindly dismissing reports as false positives is really bad. Verify first.
throw903332 · 50m ago
> basic infosec hygiene that would be unacceptable for open source maintainers
Opensource printer stack is a legacy mess. There is critical vulnerability almost every year. There are not enough money or developers to fix that!
juliangmp · 20m ago
The printer stack as a whole is a legacy mess..
I have an easier time getting a 3D printer to work than any inkjet machine
diggan · 3m ago
Maybe I got lucky, but in 2017 I bought a Brother DCP-L2520DW laser printer. No matter what OS, computer or network I connect it to, it seems to just work for everyone involved, always, and I don't think I've had a single issue with it since I got it nor did anything at all to set it up, basically installed CUPS on my desktop to get it to work and for Windows/macOS it just works.
Not affiliated, but seems some companies seem to be able to deal with it, regardless if it's open source (my stack) or not (my wife's Apple-stack).
aaviator42 · 37m ago
> Opensource printer stack is a legacy mess.
I don't necessarily disagree, but isn't this because of extremely bad firm/soft/hardware design by the printer companies that then have to be supported by the open source stack?
ChrisMarshallNY · 59m ago
> a printer vendor treating software like a side gig
This is a chronic problem with hardware vendors.
Source: Software developer for hardware companies, for over 30 years.
shakna · 54m ago
> While some redditors speculate that the trojan was planted on purpose, there is no evidence to support this claim. Outdated malware with an inactive command-and-control server is not advantageous for any attacker nor does superinfection make sense for this scenario. A far more plausible explanation points to the absence or failure of antivirus scanning on the systems used to compile and distribute the software packages. Procolored promises to improve this process, so that it cannot happen again.
That this system is so insecure as to be hit multiple times, I don't know how much stock anyone should put in "improved processes". This is a company who seems to have gone out of their way to create an insecure environment - probably out of some frustration, but all the same, insecure.
elmt35 · 2h ago
The printer company in question is: Procolored
yccs27 · 55m ago
Yup, that clickbait headline should be "Procolored served customers malware for months, dismissed it as false positives" instead.
razakel · 1h ago
Hosting drivers on mega.co.nz.
Totally fills you with confidence.
codetrotter · 1h ago
I’ve seen other hardware companies that host firmware downloads for their products on Google Drive and some Chinese cloud drive. I don’t think doing that, nor Dropbox link, is different really from hosting it on Mega.
bolognafairy · 59m ago
Okay. It still doesn’t fill me with confidence.
MathMonkeyMan · 1m ago
Trust us, bro. We paid bottom dollar for this software.
jeroenhd · 54m ago
At least mega.co.nz is a file sharing name I recognise.
My keyboard's drivers are hosted on "egnyte.com"
djfergus · 1h ago
“ It is also worth noting that I contacted Procolored support four times over the course of my testing, for help with figuring out the software and settings. Every single time, the agent requested multiple times that I allow them to connect remotely to my computer”
Lammy · 44m ago
There's nothing wrong with Mega
msh · 30m ago
It implies that the company does not give a shit when they don’t even use their own web server.
rvnx · 1h ago
If Bitcoin wallets would be designed properly they would ask for a second confirmation before sending 100k USD.
This may be the main thing to fix here, as it's very plausible that hacks happen again and again... by design.
Today it's an infected printer, tomorrow it will be a game on Steam.
latexr · 35m ago
> This may be the main thing to fix here
It’s not, because that wasn’t the problem and would not have worked. For one, nothing indicates the $100K were extracted in one go, it looks like it was cumulative. For another, this malware isn’t directly sending coins, it’s just replacing addresses in your clipboard.
cjbprime · 1h ago
Then the malware would provide that confirmation to the wallet too. Defending yourself from malware running on the same (Windows) machine is mostly impossible.
alpaca128 · 1h ago
Steam already had a game with an infostealer a while ago. A pirate game.
But something like that would only be surprising if it was more than an obvious lazy asset flip.
codetrotter · 1h ago
That kind of confirmation does exist, it’s called using a hardware wallet, such as those made by Trezor and others.
> G Data's research showed that the Bitcoin address linked to SnipVex had received about 9.3 BTC, roughly $100,000
How big was the largest amount stolen?
It could be a few individuals with a lot of money in their unprotected software wallets, or it could be a lot of people with relatively smaller amounts stolen from each of them.
If you only have a couple hundred dollars worth of bitcoin and don’t intend to buy any more of it then it doesn’t make much sense to spend as much on a hardware wallet as those cost. But if you have like $500 of bitcoin then it starts to make more sense. Especially if you plan on buying more of it. And if you have over a $1,000 and are still using a software wallet you should really look into getting a hardware wallet ASAP IMHO.
cm2187 · 1h ago
The malware doesn’t send all the content of the wallet to itself, it just replaces the recipient address in the clipboard (so you wouldn’t notice unless you checked the address). The 100k I think are cumulatively, though if it is 9btc, it’s more like 1m.
johnisgood · 1h ago
This should be relatively easy to implement.
HPsquared · 2h ago
What is it with printers and (pardon the pun) shady practices?
M95D · 56m ago
There's only some printer companies. I'm using Epson inkjet and I never had any problems. Drivers are very good too.
gostsamo · 2h ago
diminishing market and margins call for extreme pressure to monitize whatever is left of the user base.
bigfatkitten · 1h ago
These aren’t commodity office printers. They’re UV inkjets, which are used to print artwork onto objects and cost many thousands of dollars.
raverbashing · 1h ago
So it sounds more like TDD (technobro driven development)
bolognafairy · 57m ago
I assure you that “sneaking spyware into installers” predates “tech bros”
until that changes, airgap your weird hardware setups I guess
Also this is a perfect storm for lateral movement. USB-borne worms still work frighteningly well in small biz environments, especially ones with no centralized IT and people plugging printers directly into Windows desktops with admin perms. Here SnipVex is just a cherry on top-a nice, opportunistic payload for the growing class of infostealers targeting crypto wallets
Opensource printer stack is a legacy mess. There is critical vulnerability almost every year. There are not enough money or developers to fix that!
Not affiliated, but seems some companies seem to be able to deal with it, regardless if it's open source (my stack) or not (my wife's Apple-stack).
I don't necessarily disagree, but isn't this because of extremely bad firm/soft/hardware design by the printer companies that then have to be supported by the open source stack?
This is a chronic problem with hardware vendors.
Source: Software developer for hardware companies, for over 30 years.
That this system is so insecure as to be hit multiple times, I don't know how much stock anyone should put in "improved processes". This is a company who seems to have gone out of their way to create an insecure environment - probably out of some frustration, but all the same, insecure.
Totally fills you with confidence.
My keyboard's drivers are hosted on "egnyte.com"
This may be the main thing to fix here, as it's very plausible that hacks happen again and again... by design.
Today it's an infected printer, tomorrow it will be a game on Steam.
It’s not, because that wasn’t the problem and would not have worked. For one, nothing indicates the $100K were extracted in one go, it looks like it was cumulative. For another, this malware isn’t directly sending coins, it’s just replacing addresses in your clipboard.
But something like that would only be surprising if it was more than an obvious lazy asset flip.
https://trezor.io/
The bigger question is, when they said:
> G Data's research showed that the Bitcoin address linked to SnipVex had received about 9.3 BTC, roughly $100,000
How big was the largest amount stolen?
It could be a few individuals with a lot of money in their unprotected software wallets, or it could be a lot of people with relatively smaller amounts stolen from each of them.
If you only have a couple hundred dollars worth of bitcoin and don’t intend to buy any more of it then it doesn’t make much sense to spend as much on a hardware wallet as those cost. But if you have like $500 of bitcoin then it starts to make more sense. Especially if you plan on buying more of it. And if you have over a $1,000 and are still using a software wallet you should really look into getting a hardware wallet ASAP IMHO.