The exploit works by adding malicious entries to one of the template printer scripts that are present by default. PaperCut CVE-2023-27350 proof-of-concept exploitation. Previously Clop used Truebot in in-the-wild attacks that exploited a critical vulnerability in software known as GoAnywhere. Truebot is linked to a threat group known as Silence, which has ties with the ransomware group known as Clop. Evidence then showed that the threat actor used the remote management software to install malware known as Truebot. Two days after PaperCut revealed the attacks, security firm Huntress reported that it found threat actors exploiting CVE-2023-27350 to install two pieces of remote management software-one known as Atera and the other Syncro-on unpatched servers. A related vulnerability, tracked as CVE-2023–27351 with a severity rating of 8.2, allows unauthenticated attackers to extract usernames, full names, email addresses, and other potentially sensitive data from unpatched servers. It allows an unauthenticated attacker to remotely execute malicious code without needing to log in or provide a password. The vulnerability, tracked as CVE-2023–27350, carries a severity rating of 9.8 out of a possible 10. Last Wednesday, PaperCut warned that a critical vulnerability it patched in the software in March was under active attack against machines that had yet to install the March update. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance.World map showing locations of PaperCut installations. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. Users can follow their usual upgrade procedure to obtain the upgrade. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC.Īpplying the security fixes should not have any negative impact. The exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. Additionally, users can apply “Allow list” restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 91 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for.\ If upgrading to a security patch is not possible, there are alternative options to enhance security. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud.The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group’s activities. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |