Severe vulnerabilities in the PaperCut MF/NG print management software are being exploited by attackers to install Atera remote management software and gain control of servers. These vulnerabilities, tracked as CVE-2023-27350 and CVE-2023-27351, enable remote attackers to bypass authentication and execute malicious code on compromised PaperCut servers with SYSTEM privileges. What's more, the attacks are relatively simple and do not require any user interaction.

Analyzing the risk

  • Huntress detected over 1,000 Windows hosts that have PaperCut installed, with over 900 of them running vulnerable versions across approximately 700 organizations. 
  • Additionally, three macOS hosts with PaperCut Server installed were identified, of which two were running vulnerable versions. 
  • Despite being intended for internal use only, at least 1,800 PaperCut servers are publicly accessible, as revealed by a Shodan search.

Attack scenario

  • The attackers initially deployed legitimate Remote Management and Maintenance (RMM) applications such as Atera and Syncro to gain persistent access to the vulnerable systems. 
  • Security experts also uncovered a Windows DLL associated with a variant of the Truebot malware while analyzing a domain involved in these attacks.

Truebot is a post-exploitation tool that has been linked to Silence, a threat actor associated with the Russian hacking group TA505, known for its involvement in the Cl0p ransomware attacks.

Why this matters

  • The potential links between the current PaperCut software activity and a known ransomware entity are worrisome as the end goal remains unclear. 
  • Additionally, an analysis of vulnerable versions of PaperCut MF/NG found that authentication can be bypassed by accessing the 'SetupCompleted' page, allowing an attacker to log in as an administrator without credentials and make changes to disable security measures and execute Java code on the server.

What do you do now

To prevent exploitation, organizations using PaperCut should use versions 20.1.7, 21.2.11, or 22.0.9 of PaperCut MF and NG. For those unable to update immediately, PaperCut and Huntress have offered workarounds. Huntress and Horizon3 have, moreover, provided indicators for PaperCut users to check if they have been exposed to exploits.
Cyware Publisher

Publisher

Cyware