Contents:
Attackers are taking advantage of critical flaws in the widely used PaperCut MF/NG print management software to install Atera remote management software and take control of servers. The software is used by more than 100 million people from over 70,000 businesses worldwide.
CVE-2023-27350 and CVE-2023-27351 can be exploited by remote attackers to bypass authentication and execute arbitrary code on PaperCut servers. These attacks can be carried out with low complexity and do not require user interaction.
Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. We highly recommend upgrading to one of these versions containing the fix.
Available Proof-of-concept Exploit
Horizon3, an attack surface assessment firm, released a blog post with extensive technical details and a proof-of-concept (PoC) exploit for CVE-2023-27350, a vulnerability that could be used by attackers to bypass authentication and execute code on unpatched PaperCut servers. Based on the information provided by Horizon3, the RCE exploit allows “remote code execution by abusing the built-in ‘Scripting’ functionality for printers.”
Huntress has also developed a proof-of-concept exploit to demonstrate the severity of these ongoing attacks, but it has not yet made it public.
According to Bleeping Computer, threat actors are already going after unpatched PaperCut servers in the wild, and more attacks using Horizon3’s exploit code are likely to come. Fortunately, there are only about 1,700 PaperCut servers that are accessible via the Internet, as revealed by a Shodan search.
Administrators who are unable to promptly patch their PaperCut servers are urged to take precautions against remote exploitation, as recommended by Huntress.
To prevent unauthorized access to the network and to limit management access to only the server, it is necessary to block all traffic to the web management port (default port 9191) from external IP addresses on an edge device and to block all traffic to the same port on the server’s firewall.
Could It Be Clop Ransomware?
Threat actors have been exploiting the vulnerability to run PowerShell commands that install Atera and Syncro remote management software, according to Huntress security researchers, who have been analyzing post-exploitation activity related to these ongoing attacks since April 16.
The windowservicecenter[.]com domain, which had been registered on April 12, was used in these attacks; it had previously hosted and delivered the TrueBot downloader, malware associated with the Silence cybercrime group and responsible for delivering Clop ransomware payloads since December 2022.
While the ultimate goal of the current activity leveraging PaperCut’s software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning. (…) Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment.
On Friday, CISA added the CVE-2023-27350 flaw to its list of actively exploited vulnerabilities, giving federal agencies until May 12, 2023, to patch their systems to prevent further exploitation.
Papercut published a “PaperCut MF/NG Vulnerability Bulletin”, available here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.