Heimdal
article featured image

Contents:

As reported by Microsoft, Iranian state-backed threat groups have joined the ongoing assault targeting vulnerable PaperCut MF/NG print management servers. The groups in question are tracked as Mango Sandstorm (aka Mercury or Muddywater) and Mint Sandstorm (also known as Phosphorus or APT35). The first organization is linked to Iran’s Ministry of Intelligence and Security, and the second has ties with Iran’s Islamic Revolutionary Guard Corps).

The PaperCut exploitation activity by Mint Sandstorm appears opportunistic affecting organizations across sectors and geographies,

Microsoft Threat Intelligence Team (Source)

The recorded CVE-2023-27350 exploitation activity by Mango Sandstorm remains low, with operators using tools from prior intrusions to connect to their C2 infrastructure.

Millions of Users Are at Risk

They come after attacks tied to Lace Tempest by Microsoft, a hacker collective whose activities cross paths with those of the FIN11 and TA505 cybercrime gangs linked to the Clop ransomware campaign.

The bug was added by CISA to its KEV catalog on April 21, ordering federal agencies to secure their PaperCut servers within 3 weeks (by May 12th, 2023)

The PaperCut vulnerability that was exploited in these attacks and identified as CVE-2023-27350 affects PaperCut MF or NG versions 8.0 or later and is a pre-authentication significant remote code execution flaw. This enterprise printing management software is used by large businesses, government agencies, and educational institutions all over the world, according to PaperCut’s developer, who claims that it has more than 100 million users from over 70,000 firms.

Soon after the RCE bug’s first exposure in March 2023, security researchers published proof-of-concept (PoC) exploits for it. A few days later, Microsoft issued a security advisory stating that the vulnerability was being leveraged by the Clop and LockBit ransomware gangs to get initial access to business networks.

New Attacking Technique Discovered

Numerous cybersecurity firms have published indications of compromise and detection guidelines for PaperCut vulnerabilities; but, last week, VulnCheck disclosed information on a fresh attack technique that can get around current detections and permit attackers to continue exploiting CVE-2023-27350 unhindered.

Detections that focus on one particular code execution method, or that focus on a small subset of techniques used by one threat actor are doomed to be useless in the next round of attacks… Attackers learn from defenders’ public detections, so it’s the defenders’ responsibility to produce robust detections that aren’t easily bypassed.

Jacob Baines, VulnCheck Vulnerability Researcher (Source)

Defenders are urged to upgrade right now to versions 20.1.7, 21.2.11, and 22.0.9 or later of PaperCut MF and PaperCut NG, which fix the RCE flaw and eliminate the attack vector.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE