APTs Exploiting the new PaperCut Vulnerability

-

The Vulnerabilities

Print management software company PaperCut warned users of their product about an actively exploited vulnerability in their printing management software. The company claimed that 3rd party security vendors informed them of the two critical vulnerabilities as far back as January 10th, 2023.

Tracked as CVE-2023-27350 and CVE-2023-27351, the low-complexity vulnerabilities allow for threat actors to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM permissions and without user interaction. Both flaws have since been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9 and later.

Technical details on the exploits and proof of concept(s) can be found here: 
  • https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/ 
  • https://packetstormsecurity.com/files/172022/PaperCut-NG-MG-22.0.4-Authentication-Bypass.html
  • https://github.com/horizon3ai/CVE-2023-27350
  • https://vulncheck.com/blog/papercut-rce
  • https://github.com/sophoslabs/IoCs/blob/master/papercut-nday-indicators-of-compromise.csv


Iranian APTs Leverage PaperCut Vulnerabilities

Researchers at Microsoft have shared observations on groups like Muddywater (aka Mercury, Mango Sandstorm, possibly Iranian Ministry of Intelligence and Security) and Phosphorus (aka APT35, Mint Sandstorm, possibly Iranian Islamic Revolutionary Guard Corps) targeting vulnerable PaperCut MF/NG print management servers.

Microsoft's Threat Intelligence (MSTIC) team suggests that observed attacks by Mint Sandstorm appear "opportunistic" and across multiple sectors and geographies.

Mango Sandstorm's targeting of PaperCut servers, however, is much quieter. MSTIC researchers noted that operators were leveraging tools from older intrusions to connect to their C2 infrastructure.

Criminal Exploitation

Prior to Microsoft releasing their observations on Iranian exploitation of the PaperCut bugs, they first detailed attacks linked to financially motivated threat actor, Lace Tempest (possible FIN11 subgroup).






These attacks followed the quick release of multiple proof of concept exploits. Some intrusions have been reported to have even led to Lockbit ransomware deployments but as of this writing there are no solid details on this claim. Due to the ease of exploitation and amount of vulnerable servers in question, this claim is likely valid.

Federal agencies were ordered to secure their PaperCut servers by May 12th, 2023 after CISA added the bug to its list of known exploited vulnerabilities.

Suggestions and Takeaways

The PaperCut vulnerability was quickly exploited by advanced threat groups after PoC exploits were made available. Matched with the criticality of the actual flaw and the developer's claim that millions of users leverage their solution, organizations are urged to patch immediately and use available indicators of compromise for signature authoring and/or threat hunting. Refer to the VulnCheck blog above for the most recent attack method and the SophosLabs Github link for multiple IOCs in .csv.



Comments

Post a Comment

Popular posts from this blog

-
Image
ESET's APT Activity Report Q4 2023-Q1 2024 summarizes observations of various advanced persistent threat (APT) groups documented by ESET researchers between October 2023 and March 2024. Their observations highlight the broader threat landscape investigated during this period of time and details trends, developments and tooling used by these threat actors. The public report proclaims to contain a fraction of what private ESET customers receive. China Chinese-aligned cyber espionage groups have traditionally targeted public facing applications for obtaining initial access on a target network. In many campaigns investigated by ESET and others, the groups leveraged one-day vulnerabilities against a range of appliances and software including VPNs, firewalls, Confluence, Exchange, and others. See ESETs report linked below for their detailed analysis on Chinese threat activity.  Middle East According to ESET's research, a potentially Iranian-aligned threat group BladedFeline continued...
Read more

Russian GRU Unit 29155 recent operations

-
Image
Background Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia's asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations. Figure 1 WANTED: GRU Unit 29155 [1] Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage. Primary TTPs Espionage and Data Theft Unit 29155 conducts extensive espionage ca...
Read more
-
Image
Microsoft recently released their findings after a lengthy investigation into activity conducted by the Russian state-sponsored APT28 group using a unique tool for privilege escalation and credential harvesting on victim networks. Microsoft refers to the custom tool as GooseEgg and claim that the group has been observed leveraging this tool since at least June 2020. GooseEgg The custom toolset leverages CVE-2023-38208 in the Windows Print Spooler service which changes a JavaScript constraints file and executes it with SYSTEM permissions. Based on their findings, Microsoft believes GooseEgg is deployed after initial access to elevate access to targeted systems with the end goal of harvesting credentials and data. Unsurprisingly, targeting includes Ukrainian, Western European and North American entities across several sectors including government, non-government, education and transportation. After initial access of victim device, researchers observed APT28 deploying GooseEgg to escalate...
Read more