Iranian state groups have now joined financially motivated actors in actively exploiting a critical flaw in the PaperCut print management software, Microsoft revealed over the weekend.
The tech giant’s threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to gain initial access.
“This activity shows Mint Sandstorm’s continued ability to ramp up quickly [proof-of-concept] exploits to their operations,” Microsoft said in a series of tweets.
On the other hand, the CVE-2023-27350 exploit activity associated with Mango Sandstorm is said to be on the lower end of the spectrum, with the state-sponsored group “using tools from previous intrusions to connect to your C2 infrastructure”.
It is worth noting that Mango Sandstorm is linked to Iran’s Ministry of Intelligence and Security (MOIS) and Mint Sandstorm is associated with the Islamic Revolutionary Guard Corps (IRGC).
The ongoing assault comes weeks after Microsoft confirmed the involvement of Lace Tempest, a cybercrime gang that overlaps with other hacking groups such as FIN11, TA505 and Evil Corp, in abusing the flaw to deliver Cl0p and LockBit ransomware.
CVE-2023-27350 (CVSS Score: 9.8) relates to a critical bug in PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
PaperCut made a patch available on March 8, 2023. Trend Micro’s Zero Day Initiative (ZDI), which discovered and reported the issue, is expected to release more technical information about it on May 10, 2023.
Additionally, cybersecurity firm VulnCheck last week released details about a new line of attack that can bypass existing detections, allowing adversaries to exploit the flaw unhindered.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
With more attackers jumping on the PaperCut exploit bandwagon to breach vulnerable servers, it is imperative that organizations move quickly to apply the necessary updates (versions 20.1.7, 21.2.11, and 22.0.9 and later).
The development also follows a Microsoft report which revealed that Iranian threat actors are increasingly relying on a new tactic that combines offensive cyber operations with multi-pronged influence operations to “fuel geopolitical change in accord with the objectives of the regime”.
The change coincides with an increased pace in the adoption of newly reported vulnerabilities, the use of compromised websites for command and control to better hide the source of attacks, and the leveraging of custom tools and tools to gain the maximum impact
Recently, Microsoft has warned of a new state-sponsored threat exploiting security vulnerabilities in PaperCut, a popular software used by businesses to manage their print jobs. According to Microsoft, the critical vulnerability could be exploited to allow attackers to execute arbitrary code with the privilege of the chosen process.
The threat requires a user to be allowed to access the vulnerable worker machines, where the interaction with the malicious code is limited to the local network segment. Microsoft has issued a security alert for all its customers currently using PaperCut and recommends that they update to the patched version of PaperCut as soon as possible.
The authors of this malicious code are as yet unknown, however, this attack is far from unprecedented and points to the dangers of relying on insecure third-party software. To protect yourself from cyber attacks like this one, it is important to stay up to date with the latest security patches and to always use a reliable cybersecurity solution, such as one provided by Ikaroa.
Ikaroa’s security solutions provide comprehensive protection against malicious code, ransomware, and other forms of cyber threats. With Ikaroa’s solutions, businesses can protect their networks, endpoints, and workers, enabling them to work without worrying about data breaches or malicious code exploitation.
Stay vigilant and keep your business secure with Ikaroa’s cybersecurity solutions. Keep your networks and endpoints up to date and, crucially, be sure to deploy the latest security patches for all software you rely on, including PaperCut.