Print management software provider PaperCut said it has “evidence to suggest that unpatched servers are being exploited in the wild,” citing two vulnerability reports from cybersecurity firm Trend Micro.
“PaperCut has performed an analysis on all customer reports, and the earliest signature of suspicious activity on customer servers potentially related to this vulnerability was April 14 01:29 AEST / April 13 15:29 UTC,” he continued. added.
This update comes as the US Cybersecurity and Infrastructure Security Agency (CISA) added the critical improper access control flaw (CVE-2023-27350, CVSS score: 9.8) in PaperCut MF and NG to its Known Exploited Vulnerabilities (KEV) catalog, based on on evidence of active exploitation.
Cybersecurity firm Huntress, which found about 1,800 publicly available PaperCut servers, said it observed PowerShell commands generated from PaperCut software to install remote management and maintenance (RMM) software such as Atera and Syncro for continuous access and execution. code on the infected host.
Additional infrastructure analysis revealed that the domain hosting the tool – windowservicecemter(.)com – registered on April 12, 2023, also hosts malware like TrueBot, though the company says it hasn’t directly detected the spread of the downloader.
TrueBot is associated with the Russian criminal entity known as Silence, which in turn has historical ties to Evil Corp and the overlapping TA505 cluster, the latter facilitating distribution of the Cl0p ransomware in the past.
“While the ultimate goal of the current activity leveraging the PaperCut software is unknown, this link (albeit somewhat indirect) to a known ransomware entity is concerning,” researcher Huntress said.
“Potentially, the access gained through the PaperCut exploit could be used as a foothold leading to further movement within the victim’s network, and ultimately the spread of the ransomware.”
Users are advised to upgrade to the fixed versions of PaperCut MF and NG (20.1.7, 21.2.11, and 22.0.9) as soon as possible, regardless of whether the server is “available for external or internal connections”, to mitigate potential risks.
Customers who are unable to upgrade to the security patch are advised to lock down network access to the server by blocking all incoming traffic from external IPs and limiting IP addresses to only verified site servers.