Threat Research

Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG | CISA

Securonix

FBI and CISA warn of active exploitation of CVE-2023-27350 in PaperCut MF/NG servers, enabling unauthenticated remote code execution. The Bl00dy Ransomware Gang targeted Education Facilities Subsector, exfiltrated data and encrypted systems, and a patch has been released with detection guidance included. #CVE-2023-27350 #PaperCutMFNG #Bl00dyRansomwareGang #EducationFacilities #FBI #CISA

Keypoints

  • CVE-2023-27350 affects PaperCut MF/NG versions and allows remote code execution without credentials.
  • Patches were released by PaperCut in March 2023; exploitation observed from mid-April 2023 onward.
  • Bl00dy Ransomware Gang targeted Education Facilities Subsector with this vulnerability, causing encryption and data exfiltration.
  • The adversaries used PaperCut’s print scripting interface to run commands and deployed living-off-the-land style techniques via User/Group Sync interfaces.
  • Connections to Tor or proxies were used to mask outbound traffic; DiceLoader, TrueBot, and Cobalt Strike Beacons were observed as C2 tools.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – ‘CVE-2023-27350 allows a remote actor to bypass authentication and conduct remote code execution on the following affected installations of PaperCut:[1]’
  • [T1059.003] Command-Line – Brief description: ‘Using the print scripting interface to execute shell commands.’
  • [T1059.001] PowerShell – Brief description: ‘The PaperCut server process pc-app.exe runs with SYSTEM- or root-level privileges. When the software is exploited to execute other processes such as cmd.exe or powershell.exe, these child processes are created with the same privileges.’
  • [T1105] Ingress Tool Transfer – Brief description: ‘legitimate remote management and maintenance (RMM) software was downloaded and executed on victim systems via commands issued through PaperCut’s print scripting interface.’
  • [T1090] Proxy – Brief description: ‘External network communications through Tor and/or other proxies from inside victim networks helped Bl00dy Gang ransomware actors mask their malicious network traffic.’
  • [T1486] Data Encrypted for Impact – Brief description: ‘some operations led to data exfiltration and encryption of victim systems.’

Indicators of Compromise

  • [IP Addresses] context – 102.130.112.157, 172.106.112.46 (April 2023) and other Tor-related nodes noted in the activity
  • [Domains] context – anydeskupdate.com, anydeskupdates.com
  • [Domains] context – netviewremote.com, updateservicecenter.com, and related domains
  • [Emails] context – decrypt.support@privyonline[.]com, fimaribahundqf@gmx[.]com
  • [File Names] context – 4591187629.exe, nethelper.exe
  • [Hashes] context – c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125, 0ce7c6369c024d497851a482e011ef1528ad270e83995d52213276edbe71403f

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint