Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability

Cyber Security Threat Summary:
“Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft said. The tech giant's threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access. ‘This activity shows Mint Sandstorm's continued ability to rapidly incorporate [proof-of-concept] exploits into their operations,’ Microsoft said in a series of tweets. On the other hand, CVE-2023-27350 exploitation activity associated with Mango Sandstorm is said to be on the lower end of the spectrum, with the state-sponsored group ‘using tools from prior intrusions to connect to their C2 infrastructure. It's worth noting that Mango Sandstorm is linked to Iran's Ministry of Intelligence and Security (MOIS) and Mint Sandstorm is said to be associated with the Islamic Revolutionary Guard Corps (IRGC). (The Hacker News, 2023).

Security Officer Comments:
Since a proof-of-concept was released for CVE-2023-27350 by Horizon3, threat actors have taken advantage of this opportunity to target devices still running vulnerable PaperCut print management software versions. For instance, researchers at huntress labs reported that actors were exploiting the flaw to execute PowerShell commands that ultimately led to the installation of Atera and Syncro remote management software. Microsoft also stated in a recent post that a cybercriminal group, Lace Temptest, was leveraging CVE-2023-27350 to deploy Clop and LockBit ransomware payloads.

Suggested Corrections:
Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. Administrators unable to promptly patch their PaperCut servers should take measures to prevent remote exploitation including: blocking all traffic to the web management port (default port 9191) from external IP addresses on an edge device, as well as blocking all traffic to the same port on the server's firewall to restrict management access solely to the server and prevent potential network breaches.

Link(s):
https://thehackernews.com/2023/05/microsoft-warns-of-state-sponsored.html