Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft reports two Iranian hacking groups exploiting PaperCut flaw

By Deeba Ahmed The two groups exploiting the vulnerability are Mango Sandstorm and Mint Sandstorm. Both are linked to the Iranian government and intelligence agencies. This is a post from HackRead.com Read the original post: Microsoft reports two Iranian hacking groups exploiting PaperCut flaw

HackRead
#vulnerability#microsoft#intel#backdoor#auth#zero_day

PaperCut vulnerability is a flaw in widely-used printing management software that allows an unauthenticated actor to execute arbitrary code, gain SYSTEM privileges, and obtain sensitive personal information stored in company servers.

Microsoft’s threat intelligence team reports that two Iranian state-sponsored hacking groups are actively exploiting a vulnerability discovered in a widely used printing management software, PaperCut. Government agencies, educational institutions, and large-scale organizations worldwide are among the leading users of PaperCut.

About the Hackers

Two prominent Iranian hacking groups are observed exploiting this vulnerability. Mango Sandstorm is affiliated with the country’s Ministry of Intelligence and Security (MOIS). The other group, Mint Sandstorm is linked with the Islamic Revolutionary Guard Corps (IRGC). This exploitative activity seems “opportunistic,” claims Microsoft, and impacts organizations across diverse sectors and regions.

Vulnerability Found in PaperCut Actively Exploited by Hackers

According to Microsoft’s report, Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) are exploiting the PaperCut vulnerability (tracked as CVE-2023-27350 with a CVSS score of 9.8) for initial access in their attacks.

It indicates that Mint Sandstorm is continually working towards incorporating PoC exploits in their operations, whereas Mango Sandstorm’s exploitation activities are considerably low. These actors are targeting companies using unpatched versions of the printing software.

“We have evidence to suggest that unpatched servers are being exploited in the wild,” Microsoft noted.

On Friday, Microsoft said two nation-state actors they call Mint Sandstorm and Mango Sandstorm have been attacking companies running unpatched versions of PaperCut software, which is used widely by government agencies, universities, and large companies around the world.

More actors are exploiting unpatched CVE-2023-27350 in print management software Papercut since we last reported on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350.

— Microsoft Threat Intelligence (@MsftSecIntel) May 5, 2023

When was it Discovered?

The flaw was disclosed by Trend Micro Zero Day Initiative (ZDI) on March 8. The company published an urgent update to its advisory, urging organizations running PaperCut to install the patch. Since the publishing of this advisory, many ransomware groups began to exploit it, including LockBit and Clop.

The attack spree comes after Microsoft reported the activities of the Lace Tempest cybercrime group in abusing this flaw to distribute LockBit and Cl0p ransomware. The flaw was identified in PaperCut NG and MF installations. Trend Micro says it will release more details about the vulnerability on May 10.

What are the Dangers Associated with this Vulnerability?

An unauthenticated actor can easily exploit to execute arbitrary code as they will gain SYSTEM privileges. Hackers can gain remote access to their victims’ systems and obtain sensitive personal information, including usernames, full names, payment card numbers linked with the account, and email IDs, usually stored in company servers.

CISA (Cybersecurity and Infrastructure Security Agency) added it to its list of exploited flaws last month and has given May 12, 2023 deadline to federal civilian agencies to install the patch.

  1. Hacker takes over thousands of Printers; sends alerts to users
  2. Spoofed Emails from Corporate Printer Vendors Install Backdoor
  3. Hackers can conduct DoS attacks Using Flaw in Brother Printers
  4. HP Bug Bounty Program: Hack HP Printers & Earn Up To $10,000
  5. 28K exposed printers hacked to underline lack of printer security

Related news

Researchers Uncover New High-Severity Vulnerability in PaperCut Software

Cybersecurity researchers have discovered a new high-severity security flaw in PaperCut print management software for Windows that could result in remote code execution under specific circumstances. Tracked as CVE-2023-39143 (CVSS score: 8.4), the flaw impacts PaperCut NG/MF prior to version 22.1.3. It has been described as a combination of a path traversal and file upload vulnerability. "

CVE-2023-39143: CVE-2023-39143: PaperCut Path Traversal/File Upload RCE Vulnerability

PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote code execution when external device integration is enabled (a very common configuration).

PaperCut PaperCutNG Authentication Bypass

This Metasploit module leverages an authentication bypass in PaperCut NG. If necessary it updates Papercut configuration options, specifically the print-and-de vice.script.enabled and print.script.sandboxed options to allow for arbitrary code execution running in the builtin RhinoJS engine. This module logs at most 2 events in the application log of papercut. Each event is tied to modification of server settings.

Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code

The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. "While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a

Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability

U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country. The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a

Threat Source newsletter (May 11, 2023) — So much for that ransomware decline

A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations and potentially putting personal information at risk.

Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability

Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft said. The tech giant's threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access. "This activity shows Mint

Ransomware review: May 2023

LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. (Read more...) The post Ransomware review: May 2023 appeared first on Malwarebytes Labs.

Researchers Uncover New Exploit for PaperCut Vulnerability That Can Bypass Detection

Cybersecurity researchers have found a way to exploit a recently disclosed critical flaw in PaperCut servers in a manner that bypasses all current detections. Tracked as CVE-2023-27350 (CVSS score: 9.8), the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. While the flaw was patched by the

Threat Source newsletter (April 27, 2023) — New Cisco Secure offerings and extra security from Duo

AI-generated spam comments on Amazon, the latest on the 3CX supply chain attack and more security headlines from the past week.

PaperCut NG/MG 22.0.4 Authentication Bypass

PaperCut NG/MG version 22.0.4 suffers from an authentication bypass vulnerability.

Update your PaperCut application servers now: Exploits in the wild

Categories: News Tags: PaperCut Tags: server Tags: exploit Tags: attack Tags: authentication Tags: update Tags: patch We take a look at urgent updates needed for users of PaperCut, after two exploits were found in the wild. (Read more...) The post Update your PaperCut application servers now: Exploits in the wild appeared first on Malwarebytes Labs.

Attackers Abuse PaperCut RCE Flaws to Take Over Enterprise Print Servers

Customers should apply updates to the print management software used by more than 100 million organizations worldwide, with typical US customers found in the SLED sector.

Russian Hackers Suspected in Ongoing Exploitation of Unpatched PaperCut Servers

Print management software provider PaperCut said that it has "evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro. "PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01

CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The three vulnerabilities are as follows - CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability  CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control