Cyber Security Threat Summary:
On April 19th, PaperCut, a printing management software company, disclosed that threat actors were actively exploiting two flaws in PaperCut MF or NG, urging admins to upgrade their servers to the latest version as soon as possible. The flaws, tracked as CVE-2023-27350 and CVE-2023-27351, were fixed last month in the PaperCut Application Server and allow remote attackers to perform unauthenticated remote code execution and information disclosure.

In a Twitter post yesterday, Microsoft attributed the attacks to Lace Tempest, a threat group whose activity overlaps with FIN11 and TA505, both of which are linked to the Clop ransomware operation. According to the tech giant, Lace Tempest has been exploiting the PaperCut vulnerabilities since April 13 to gain initial access to corporate networks and steal data from vulnerable servers.

“Once they gained access to the server, they deployed the TrueBot malware, which has also been previously linked to the Clop ransomware operation. Ultimately, Microsoft says a Cobalt Strike beacon was deployed and used to spread laterally through the network while stealing data using the MegaSync file-sharing application. In addition to Clop, Microsoft says some intrusions have led to LockBit ransomware attacks. However, it's unclear if these attacks began after the exploits were publicly released” (Bleeping Computer, 2023).

Security Officer Comments:
Clop affiliates like Lace Tempest are known for exploiting vulnerabilities to gain initial access to corporate environments. Recently, the group utilized a zero-day vulnerability in the GoAnywhere secure file-sharing platform to steal data from over 130 companies worldwide.

On Monday, Horizon3 released a technical write up which included a proof-of-concept exploit for CVE-2023-27350 that could be leveraged by attackers to bypass authentication and execute code on unpatched PaperCut servers. Although, Lace Tempest has been targeting vulnerable PaperCut servers since April 13, the POC will enable other cybercriminals to conduct additional attacks.

Suggested Corrections:
Both vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. Huntress advises administrators unable to promptly patch their PaperCut servers should take measures to prevent remote exploitation. This includes blocking all traffic to the web management port (default port 9191) from external IP addresses on an edge device, as well as blocking all traffic to the same port on the server's firewall to restrict management access solely to the server and prevent potential network breaches.

Link:
https://www.bleepingcomputer.com/ne...somware-gangs-behind-papercut-server-attacks/
https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/