Exploit Released for Papercut Flaw Abused to Hijack Servers, Patch Now
Summary:
Threat actors are exploiting several vulnerabilities in the print management software, PaperCut MF/NG, to install Atera remote management software and take over servers. The vulnerabilities in question are being tracked as CVE-2023-27350 and CVE-2023-27351 and allow remote attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges in low-complexity attacks that don't require user interaction.
Security researchers at Horizon3 have been analyzing post-exploitation activity linked to these attacks since April 16. They note that threat actors have been leveraging the flaws to execute PowerShell commands that ultimately lead to the installation of Atera and Syncro remote management software.
"These attacks were preceded by the registration of the windowservicecenter[.]com domain on April 12th, which was also used to host and deliver TrueBot downloader, a malware linked to the Silence cybercrime group and used to deploy Clop ransomware payloads since December 2022.”
The motive behind the latest campaigns leveraging PaperCut’s software is currently unknown. However the link to TrueBot is concerning as these attacks could lead to potential ransomware infections.
Analyst comments:
Yesterday, Horizon3 released a technical write which included a proof-of-concept exploit for CVE-2023-27350 that could be leveraged by attackers to bypass authentication and execute code on unpatched PaperCut servers. Although PaperCut servers are already being targeted in the wild, additional threat actors will also likely use Horizon3's exploit code in further attacks. Thankfully, a recent shodan search revealed that there are only 1,700 internet-exposed PaperCut servers.
Mitigation:
Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. Huntress advises administrators unable to promptly patch their PaperCut servers should take measures to prevent remote exploitation. This includes blocking all traffic to the web management port (default port 9191) from external IP addresses on an edge device, as well as blocking all traffic to the same port on the server's firewall to restrict management access solely to the server and prevent potential network breaches.
Source:
https://www.bleepingcomputer.com