Analytics Story: PaperCut MF NG Vulnerability
Description
The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities.
Why it matters
PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for. If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply "Allow list" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network. The vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend. The exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC. Applying the security fixes should not have any negative impact. Users can follow their usual upgrade procedure to obtain the upgrade. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Suricata | N/A | suricata |
suricata |
Sysmon EventID 1 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Windows Event Log Security 4688 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
References
- https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability
- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
- https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/
- https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/
- https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
Source: GitHub | Version: 1