Attackers are exploiting severe vulnerabilities in the widely used PaperCut MF/NG print management software to install Atera remote management software to take control of servers.
The software developer claims that it is used by more than 100 million users from over 70,000 companies worldwide.
The two security vulnerabilities (tracked as CVE-2023-27350 And CVE-2023-27351) allow remote attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges in low complexity attacks that do not require user interaction.
“These two vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later versions. We strongly recommend that you upgrade to one of these versions containing the fix,” said the Company. warned.
Proof of concept exploit available
Earlier today, attack surface review company Horizon3 published a blog post containing detailed technical information and a CVE-2023-27350 proof-of-concept (PoC) exploit that attackers could use to bypass authentication and execute code on unpatched PaperCut servers.
Horizon3 says the NCE feat helps to achieve “remote code execution by abusing the built-in ‘Scripting’ feature for printers”.
Huntress has also created a PoC exploit to show the threat posed by these ongoing attacks, but has not yet released it online (a video demo is available below).
While unpatched PaperCut servers are already targeted in the wild, other threat actors will likely use Horizon3’s exploit code in further attacks.
Fortunately, a Shodan Research shows that attackers could only target around 1,700 Internet-facing PaperCut servers.
CISA added flaw CVE-2023-27350 to its list of actively exploited vulnerabilities on Friday, order federal agencies to secure their systems against continued exploitation within three weeks by May 12, 2023.
Huntress advises administrators unable to quickly patch their PaperCut servers to take steps to prevent remote exploitation.
This includes blocking all traffic to the web management port (default port 9191) from external IP addresses on an edge device, as well as blocking all traffic to the same port on the firewall of the server to limit management access only to the server and prevent potential network violations.
Links to Clop ransomware
According Huntress Security Researchers analyzing post-exploit activity related to these ongoing attacks since April 16, when the first attacks were observed, threat actors are using the flaw to run PowerShell commands that install remote management software Atera and Syncro.
These attacks were preceded by the recording of the windowservicecenter.com domain on April 12, which was also used to host and deliver the TrueBot Downloader, malware linked to the Silence cybercrime group and used to deploy Clop ransomware payloads since December 2022.
“While the ultimate goal of the current activity exploiting PaperCut’s software is unknown, these (albeit somewhat circumstantial) links to a known ransomware entity are concerning,” Huntress Labs said.
“Potentially, the access gained through the PaperCut exploitation could be used as an anchor point leading to a tracking movement within the victim’s network, and ultimately the deployment of ransomware.”