Patch PaperCut Servers to Defend Against Exploit
Patch PaperCut Servers to Defend Against Exploit
Horizon3 has released a proof-of-concept (PoC) exploiting PaperCut print management software to achieve remote code execution (RCE). The PoC targets vulnerabilities CVE-2023-27350 and CVE-2023-27351, enabling attackers to perform low-complexity attacks without user interaction. This allows them to bypass authentication and execute arbitrary code on PaperCut servers compromised with SYSTEM privileges. "Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later," as stated by PaperCut in their latest security advisory. The attack surface for the exploit is found to be relatively small with a Shodon search only identifying approximately 1,700 internet-facing servers. Researchers from Huntress have observed PaperCut servers being exploited to execute PowerShell commands to drop remote access software such as Atera and Syncro. Based on registered infrastructure dropping the software, operators from the Clop ransomware gang are involved in exploiting PaperCut servers, leading to concerns about potential ransomware attacks due to this exploit.
The Clop and LockBit ransomware gangs are attributed to attacks exploiting PaperCut servers. In a tweet from Microsoft's Threat Intelligence team, Clop ransomware affiliates were observed running "PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service." The operators then installed a Cobalt Beacon, running reconnaissance commands and using WMI to achieve lateral movement. Data was found to be exfiltrated to MegaSync. While fewer details were provided for LockBit, Microsoft shared they've also observed intrusions resulting in LockBit ransomware.