Iranian Threat Groups Abuse PaperCut Flaw: Warns Microsoft

Diving into details

• According to the Microsoft Threat Intelligence team, the exploitation by Mint Sandstorm seems to be a calculated move that is impacting organizations in various sectors and locations.
• However, the exploitation activity related to Mango Sandstorm has been low. The operators behind these attacks have been found to be using tools previously employed in intrusions to establish a connection to their C2 infrastructure.
• These attacks follow the pattern of malicious activities associated with Lace Tempest, a hacking group whose operations intersect with the cybercrime gangs FIN11 and TA505. Both groups have ties to the notorious Cl0p ransomware operation.

New PaperCut PoC exploit

• Researchers discovered a new attack method that bypasses all existing detection rules for CVE-2023-27350, enabling attackers to execute arbitrary code through PaperCut's scripting interface.  
• The new PoC exploit uses multiple paths to code execution, allowing attackers to perform code execution in credentials as they attempt to log in. 
• The attack method could, furthermore, enable attackers to launch a Python reverse shell on Linux or download a custom reverse shell on a remote server in Windows. 

Other reports of exploitation of the bug

• Microsoft's security team reported the attacks by affiliates of the Cl0p and LockBit ransomware groups. Experts also found a Truebot variant in a domain related to the attacks.
• In April, attackers used legitimate RMM applications, such as Atera and Syncro, to backdoor vulnerable systems for persistence.

The bottom line