Headline
Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability
Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft said. The tech giant’s threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access. "This activity shows Mint
Cyber Espionage / Vulnerability
Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft said.
The tech giant’s threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access.
“This activity shows Mint Sandstorm’s continued ability to rapidly incorporate [proof-of-concept] exploits into their operations,” Microsoft said in a series of tweets.
On the other hand, CVE-2023-27350 exploitation activity associated with Mango Sandstorm is said to be on the lower end of the spectrum, with the state-sponsored group “using tools from prior intrusions to connect to their C2 infrastructure.”
It’s worth noting that Mango Sandstorm is linked to Iran’s Ministry of Intelligence and Security (MOIS) and Mint Sandstorm is said to be associated with the Islamic Revolutionary Guard Corps (IRGC).
The ongoing assault comes weeks after Microsoft confirmed the involvement of Lace Tempest, a cybercrime gang that overlaps with other hacking groups like FIN11, TA505, and Evil Corp, in abusing the flaw to deliver Cl0p and LockBit ransomware.
CVE-2023-27350 (CVSS score: 9.8) relates to a critical flaw in PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
A patch was made available by PaperCut on March 8, 2023. Trend Micro’s Zero Day Initiative (ZDI), which discovered and reported the issue, is expected to release more technical information about it on May 10, 2023.
Cybersecurity firm VulnCheck, last week, published details on a new line of attack that can circumvent existing detections, enabling adversaries to leverage the flaw unimpeded.
UPCOMING WEBINAR
Learn to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
Save My Seat!
With more attackers jumping in on the PaperCut exploitation bandwagon to breach vulnerable servers, it’s imperative that organizations move quickly to apply the necessary updates (versions 20.1.7, 21.2.11, and 22.0.9 and later).
The development also follows a report from Microsoft which revealed that Iranian threat actors in Iran are increasingly relying on a new tactic that combines offensive cyber operations with multi-pronged influence operations to “fuel geopolitical change in alignment with the regime’s objectives.”
The shift coincides with an increased tempo in adopting newly reported vulnerabilities, the use of compromised websites for command-and-control to better conceal the source of attacks, and harnessing custom tooling and tradecraft for maximum impact.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Cybersecurity researchers have discovered a new high-severity security flaw in PaperCut print management software for Windows that could result in remote code execution under specific circumstances. Tracked as CVE-2023-39143 (CVSS score: 8.4), the flaw impacts PaperCut NG/MF prior to version 22.1.3. It has been described as a combination of a path traversal and file upload vulnerability. "
PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote code execution when external device integration is enabled (a very common configuration).
This Metasploit module leverages an authentication bypass in PaperCut NG. If necessary it updates Papercut configuration options, specifically the print-and-de vice.script.enabled and print.script.sandboxed options to allow for arbitrary code execution running in the builtin RhinoJS engine. This module logs at most 2 events in the application log of papercut. Each event is tied to modification of server settings.
The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. "While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a
U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country. The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a
A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations and potentially putting personal information at risk.
By Deeba Ahmed The two groups exploiting the vulnerability are Mango Sandstorm and Mint Sandstorm. Both are linked to the Iranian government and intelligence agencies. This is a post from HackRead.com Read the original post: Microsoft reports two Iranian hacking groups exploiting PaperCut flaw
LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. (Read more...) The post Ransomware review: May 2023 appeared first on Malwarebytes Labs.
Cybersecurity researchers have found a way to exploit a recently disclosed critical flaw in PaperCut servers in a manner that bypasses all current detections. Tracked as CVE-2023-27350 (CVSS score: 9.8), the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. While the flaw was patched by the
AI-generated spam comments on Amazon, the latest on the 3CX supply chain attack and more security headlines from the past week.
PaperCut NG/MG version 22.0.4 suffers from an authentication bypass vulnerability.
Categories: News Tags: PaperCut Tags: server Tags: exploit Tags: attack Tags: authentication Tags: update Tags: patch We take a look at urgent updates needed for users of PaperCut, after two exploits were found in the wild. (Read more...) The post Update your PaperCut application servers now: Exploits in the wild appeared first on Malwarebytes Labs.
Customers should apply updates to the print management software used by more than 100 million organizations worldwide, with typical US customers found in the SLED sector.
Print management software provider PaperCut said that it has "evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro. "PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The three vulnerabilities are as follows - CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control