Microsoft says Iranian state-backed hackers have joined the ongoing assault targeting vulnerable PaperCut MF/NG print management servers.

These bands are followed as Mango Sandstorm (aka Mercury or Muddywater and related to Iranian Ministry of Intelligence and Security) and Mint Sandstorm (also known as Phosphorus or APT35 and related to Islamic Revolutionary Guard Corps of Iran).

“PaperCut mining activity by Mint Sandstorm appears opportunistic, affecting organizations across all industries and geographies,” the Microsoft Threat Intelligence team said. said.

“The CVE-2023-27350 exploit activity observed by Mango Sandstorm remains low, with operators using tools from previous intrusions to connect to their C2 infrastructure.”

They follow Lace Tempest related attacks by Microsoft, a hacking group whose malicious activity overlaps with the FIN11 and TA505 cybercrime gangs linked to the Clop ransomware operation.

Redmond also found that some intrusions lead to LockBit ransomware attacks, but could not provide more information when asked to share additional details.

CISA added this bug to its catalog of actively exploited vulnerabilities on April 21, ordering federal agencies to secure their PaperCut servers within three weeks before May 12, 2023.

More and more actors are exploiting unpatched CVE-2023-27350 in the Papercut print management software since our last report on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) and Mango Sandstorm (MERCURY) exploit CVE-2023-27350.

—Microsoft Threat Intelligence (@MsftSecIntel) May 5, 2023

The PaperCut vulnerability exploited in these attacks and tracked as CVE-2023-27350 is a pre-authentication critical remote code execution bug in PaperCut MF or NG version 8.0 or later.

Large corporations, state organizations and educational institutes around the world use this enterprise print management software, with the developer of PaperCut claiming over 100 million users from over 70,000 companies.

Security researchers freed PoC exploits for the RCE bug shortly after initial disclosure in March 2023, with Microsoft warning several days later that the vulnerability was being used for initial access to corporate networks by the Clop and LockBit ransomware gangs.

While several cybersecurity companies have published indicators of compromise and detection rules for PaperCut exploits, VulnCheck has shared details on a new method of attack last week that can bypass existing detections, allowing attackers to continue exploiting CVE-2023-27350 unhindered.

“Detections that focus on a particular method of code execution, or that focus on a small subset of techniques used by a threat actor are bound to be useless in the next round of attacks,” said Jacob Baines, VulnCheck vulnerability researcher.

“Attackers learn from defenders’ public detections, so it’s the defenders’ responsibility to produce robust detections that aren’t easily circumvented.”

Advocates are encouraged to upgrade immediately their PaperCut MF and PaperCut NG software to versions 20.1.7, 21.2.11 and 22.0.9 and later, which fix this RCE bug and remove the attack vector.