The Iranian nation-state group has now joined financially motivated actors in actively exploiting a critical flaw in print management software PaperCut, Microsoft revealed last weekend.
The tech giant’s threat intelligence team said it had observed Mango Sandstorm (Mercury) and Mint Sandstorm (Fosphorus) arming CVE-2023-27350 in their operations to achieve early access.
“This activity demonstrates Mint Sandstorm’s continued ability to quickly incorporate (proof-of-concept) exploits into their operations,” Microsoft said. said in a series of tweets.
On the other hand, CVE-2023-27350 exploit activity associated with Sandstorm Mango is said to be on the lower end of the spectrum, with state-sponsored groups “using tools from previous intrusions to connect to their C2 infrastructure.”
It should be noted that the Mango Sandstorm is related to the Iranian Ministry of Intelligence and Security (MOIS) and the Mint Sandstorm is related to the Islamic Revolutionary Guard Corps (IRGC).
The ongoing attacks come weeks after Microsoft confirmed the involvement of Lace Tempest, a cybercrime gang that overlaps with other hacking groups such as FIN11, TA505, and Evil Corp, in abusing weaknesses to deliver the Cl0p and LockBit ransomware.
CVE-2023-27350 (CVSS score: 9.8) relates to a critical flaw in PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
A patch was provided by PaperCut on March 8, 2023. Trend Micro’s Zero Day Initiative (ZDI), which discovered and reported the issue, is expected to release more technical information about it on May 10, 2023.
What’s more, cybersecurity firm VulnCheck, last week, published details about a new line of attack that can evade existing detection, allowing adversaries to take advantage of these weaknesses unhindered.
With more attackers jumping on the PaperCut exploit train to penetrate vulnerable servers, organizations need to move quickly to apply the necessary updates (versions 20.1.7, 21.2.11, and 22.0.9 and later).
The developments also follow a report from Microsoft which revealed that Iranian threat actors are increasingly relying on new tactics that combine offensive cyber operations with multi-pronged influence operations to “trigger geopolitical changes in line with regime goals.”
This shift has coincided with an increased pace of adopting newly reported vulnerabilities, use of compromised websites for command-and-control to better hide the source of attacks, and leveraging custom tooling and crafting for maximum impact.