Severe vulnerabilities in PaperCut MF/NG print management software are being exploited by attackers to install Atera remote management software, allowing them to take over servers. These vulnerabilities (tracked as CVE-2023-27350 and CVE-2023-27351) enable attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges. As a result, attackers can gain remote code execution by abusing the built-in "Scripting" functionality for printers. The two security flaws are severe and could impact millions of users worldwide. Fortunately, PaperCut has already released patches (versions 20.1.7, 21.2.11, and 22.0.9) that fix both vulnerabilities. However, many organizations may not be aware of the risks posed by vulnerable assets in their networks, which could be running unpatched versions of PaperCut.
According to Brian Contos, CSO of Sevco Security, the initial steps to mitigate the risks of high-profile vulnerabilities are to identify vulnerable devices and then patch them. Unfortunately, most organizations have unknown, unmanaged, or abandoned IT assets that are running vulnerable applications, including unpatched versions of PaperCut. Attackers can use a single, vulnerable device as a beachhead to compromise other devices, maintain persistence, evade detection, and conduct malicious acts, such as installing ransomware and performing data exfiltration. Hence, organizations should adopt a proactive approach to mitigate risks before the next headline-grabbing vulnerability threatens their environment.
Security researchers from Huntress Labs have been analyzing post-exploitation activity linked to these ongoing attacks since April 16. They discovered that threat actors have been using the flaws to execute PowerShell commands that install Atera and Syncro remote management software.
In light of the recent attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE-2023-27350 flaw to its list of actively exploited vulnerabilities, ordering federal agencies to secure their systems against ongoing exploitation within three weeks by May 12, 2023. The ongoing attacks highlight the importance of promptly patching vulnerabilities and adopting a proactive approach to cybersecurity to mitigate risks before attackers can exploit them.
###