Microsoft has linked recent attacks on PaperCut servers to ransomware operations by Clop and LockBit, which used vulnerabilities to steal corporate data.

In March 2023, print management solutions provider PaperCut fixed vulnerabilities CVE-2023-27350 (9.8 out of 10 on the CVSS scale, equalling the recently-discovered MSMQ vulnerability) and CVE-2023-27351 (8.2 out of 10). on the CVSS scale).

They allowed to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges, as well as extract usernames, full names, email addresses, and other sensitive data. It was emphasized that such attacks do not require user interaction.

In mid-April, it became known that hackers were already exploiting vulnerabilities, and a PoC exploit for the most dangerous of them appeared in the public domain.

Clop and LockBit ransomware is behind these attacks on PaperCut servers, Microsoft analysts now report, using bugs to steal corporate data from vulnerable servers.

According to the researchers, hackers have been using vulnerabilities in PaperCut since April 13, 2023, and with their help they gain access to corporate networks. After gaining access to the server, the attackers deploy the TrueBot malware in the system, which is associated with Clop extortionate operations, as well as the Cobalt Strike “beacon”, which is used to traverse the victim’s network sideways and steal data using the MegaSync file-sharing application.

Microsoft says some of the incidents ended with LockBit ransomware attacks, but it’s not clear if these attacks started before or after the exploits were published.

By the way, the media wrote that Canadian Polices Arrests Russian Man Involved in LockBit Ransomware Attacks.

Experts urge all administrators to install the available patches as soon as possible, since other attackers are likely to soon take on fresh bugs as well. For example, PaperCut MF and NG are strongly recommended to upgrade to versions 20.1.7, 21.2.11 and 22.0.9.

The post Clop and LockBit Ransomware Exploit Fresh Vulnerabilities in PaperCut appeared first on Gridinsoft Blog.

What is PaperCut?

PaperCut is a print management solution, which allows fine-tuning printer usage. It provides features such as print job tracking, print quota management, cost allocation, and secure printing, among others. The latter is exceptionally needed to prevent possible data leaks within the company. The software supports a wide range of different printers, scanners, and other devices of that purpose. It is a pretty popular solution – the latest data says about 100+ million users around the world. It can be very, very unfortunate if something that popular is unsafe.

Two Vulnerabilities Found in PaperCut Software

Recent research shows that PaperCut has two vulnerabilities – one is bad, and the other is horrifying. Let’s start with the most worrying one. CVE-2023-27350 allows remote code execution (RCE) without any authentication. RCE/ACE vulnerabilities are extremely dangerous, and seeing a 9+ CVSS rate for them is a common thing. This one received 9.8 points – equalling the recently-discovered MSMQ vulnerability.

Even more unpleasant is the fact that crooks already succeeded in using this vulnerability for cyberattacks. TrendMicro reported about hackers using the RCE vulnerability to execute a PowerShell script. The latter have downloaded a ransomware payload, circumnavigating passive security solutions present in the network. Threat actors did this trick using Windows Network Shell (netsh) utility. Another interesting feature of that attack is the use of temporary data hosting for payload delivery. In 60 minutes, the file is removed automatically from the hosting, leaving 0 evidence.

CVE-2023-27351 is less severe, yet still unpleasant. It also allows unauthorised access, but this time users’ information is under attack. Hackers can extract things like full names of the users, usernames, emails and even card numbers. All this information is available from user profiles created in PaperCut MF servers. It can potentially allow attackers to extract credentials to the PaperCut accounts.

List of PaperCut software vulnerable to mentioned exploits:

How to Protect Against PaperCut Vulnerability?

Fortunately for all corporations that use the program, the developer already acknowledged that issue and released a security update. They recommend installing the latest updates available for vulnerable software as soon as possible. Such a rapid reaction is greatly appreciated, but companies generally tend to delay updates. This may be caused by numerous factors, some of which are hard to deal with. For that reason, preventive measures may be a more convenient option.

Most effective solution against exploitation is anti-malware software with a zero-trust policy. It supposes that no software is trusted, and each action must be checked. Modern EDR/XDR solutions generally opt for this exact policy, as it provides way higher protection rates against modern threats. Certainly, it has its downsides – but they are dim compared to the consequences of ransomware attack or APT activity.

Additional solution there is using active network protection. As I mentioned above, hackers used netsh to trick the firewall restrictions and reach the file hosting. More advanced network security solutions, like Network Detection and Response systems, are invulnerable to this. They will also make it much easier to analyse the cyberattacks (or their attempts), and implement urgent reactive measures.

The post PaperCut Vulnerability Allows RCE, Exploited in the Wild appeared first on Gridinsoft Blog.