PaperCut says hackers are exploiting ‘critical’ security flaws in unpatched servers
Print management software maker PaperCut says attackers are exploiting a critical-rated security vulnerability to gain access to unpatched servers on customer networks.
PaperCut offers two print management products, PaperCut NG and PaperCut MF, used by local governments, large enterprises and healthcare and education institutions. PaperCut’s website says it has over 100 million users from more than 70,000 organizations worldwide.
In an advisory last week, PaperCut said that a critical vulnerability it patched earlier in March was under active attack against machines that had yet to install the security update. The vulnerability, tracked as CVE-2023-27350, is scored 9.8 out of a possible 10 in vulnerability severity as it could allow an unauthenticated attacker to remotely execute malicious code on a server without needing credentials.
PaperCut also sounded the alarm about a separate but similar flaw in its software, tracked as CVE-2023-27351 with a vulnerability severity rating of 8.2 out of 10. The bug allows hackers to extract information about users stored within a customer’s PaperCut MF and NG servers, including usernames, full names, email addresses, department information and payment card numbers associated with the accounts.
“Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later,” the company said. “We highly recommend upgrading to one of these versions containing the fix.
Since PaperCut’s confirmation of in-the-wild attacks, cybersecurity company Huntress said it observed hackers exploiting the vulnerabilities to plant legitimate remote management software — Atera and Syncro — to backdoor unpatched servers. Huntress said it has detected about 1,800 internet-exposed PaperCut servers.
Huntress said that the attackers used the remote tools to plant malware known as Truebot, which is often used by the Russia-backed Clop gang before it deploys ransomware. Clop is also believed to have used Truebot as part of its mass-hack targeting customers of Fortra’s GoAnywhere file transfer tool.
“While the ultimate goal of the current activity leveraging PaperCut’s software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning,” Huntress wrote. “Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment.”
Huntress said it created an unreleased proof-of-concept exploit to evaluate the threat posed by the two vulnerabilities. On Monday, researchers with automated pentesting firm Horizon3 released its own proof-of-concept exploit code for the 9.8-rated vulnerability.
CISA added the highest-severity CVE-2023-27350 flaw to its list of actively exploited vulnerabilities on Friday, ordering federal agencies to secure their systems against ongoing exploitation within three weeks by May 12.