Network printer exploited (read: hacked) to print antisemitic documents. How to fix?

Solution 1:

This attack disproportionately affected universities because, for historical reasons, many universities use public IPv4 addresses for most or all of their network, and for academic reasons have little or no ingress (or egress!) filtering. Thus, many individual devices on a university network can be reached directly from anywhere on the Internet.

In your specific case, a small office with an ADSL connection and home/SOHO router and static IP address, it's most likely that someone at the office explicitly forwarded TCP port 9100 from the Internet to the printer. (By default, because NAT is in use, incoming traffic has nowhere to go unless some provision is made to direct it somewhere.) To remediate this, you simply remove the port forwarding rule.

In larger offices with proper ingress firewalling, you generally won't have any allow rules for this port at the border, except perhaps for VPN connections if you need people to be able to print over your VPN.

To secure the printer/print server itself, use its built in allow list/access control list to specify the range(s) of IP addresses allowed to print to the printer, and deny all other IP addresses. (The linked document also contains other recommendations for securing your printers/print servers, which you should also evaluate.)

Solution 2:

To extend on Michael Hampton's answer. Yes it's likely a port forward rule. But usually that's not something someone would expose deliberately. However it can be added by UPnP devices. Most likely by having UPnP enabled on your residential grade router.

Universities probably have their printers hacked for other reasons as corporate grade routers usually don't support UPnP and if they did it'd be disabled by default. In those situations universities are big and have lots of public IP's and very complex networks and sometimes multiple IT departments with numerous sub-schools and campuses. And don't forget the student hackers who like to poke around.

But, back to my UPnP theory which could fit your case.

It's unlikely someone would deliberately open up port 9100 on your router to enable your printer to be open to the world. Not impossible, but somewhat unlikely.

Here is some info on the more likely culprit UPnP:

UPnP flaws expose tens of millions of networked devices to remote attacks, researchers say

This is how we had thousands of IP cameras hacked into despite being behind NAT routers.

More here: Exploiting Universal Plug-n-Play protocol, insecure security cameras & network printers These articles are a few years old, but are still relevant. UPnP is just plain broken and unlikely to be fixed. Disable it.

The last part of the first paragraph in the second article really sums it up:

Lastly, your network printer is just waiting to be hacked.

And lastly, follow Michael Hampton's advice and add an access control list if possible.