PaperCut CVE-2023-27350 and CVE-2023-27351 allow remote code execution and authentication bypass on PaperCut MF/NG servers, with unpatched systems actively exploited in the wild. The article highlights PoC dispersion via hacktivist channels and rising ransomware activity against educational institutions, urging urgent patching. #PaperCut #CVE-2023-27350 #CVE-2023-27351 #Truebot #ClopRansomware #Atera #SplashTop #HacktivistGroups #Telegram
Keypoints
- PaperCut CVEs 27350 (Critical) and 27351 (High) affect PaperCut MF/NG across platforms.
- Exploitation can bypass authentication and execute arbitrary code, including running as SYSTEM.
- Public Proof-of-Concept and dissemination via Telegram hacktivist channels raise short-term exploitation risk.
- Impact includes remote code execution, SYSTEM access, post-exploitation activity, and potential lateral movement.
- Approximately 1,800 PaperCut servers are internet-facing, with Education Sector heavily represented.
- CRIL links to a Russian-speaking threat ecosystem involving Truebot and Clop ransomware, with remote management tools like Atera and SplashTop implicated in broader campaigns.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attacker exploits PaperCut vulnerability to bypass authentication and run code. [ “attackers can potentially bypass authentication and execute arbitrary code in the context of SYSTEM.” ]
- [T1068] Exploitation for Privilege Escalation – Attacker gains initial access as SYSTEM. [ “gain initial access as SYSTEM.” ]
- [T1059] Command and Scripting Interpreter – RCE is possible via the abuse of the “Scripting” functionality. [ “RCE is possible via the abuse of the “Scripting” functionality.” ]
Indicators of Compromise
- [URL] TrueBot Malware – upd488.windowservicecemter.com/download/ld.txt, upd488.windowservicecemter.com/download/AppPrint.msi
- [Domain] Malicious Websites – anydeskupdate.com, anydeskupdates.com
Read more: https://blog.cyble.com/2023/04/25/print-management-software-papercut-actively-exploited-in-the-wild/