According to VulnCheck, attackers began exploiting a vulnerability in PaperCut NG and MFm, a software used for print management, in mid-April 2023. The vulnerability was later assigned CVE-2023-27350, and multiple security organizations published exploit detections and indicators of compromise, including Huntress, Horizon3.ai, Proofpoint, and Microsoft. However, VulnCheck researchers have now published a proof-of-concept exploit that bypasses all published detections.
According to the researchers, the detections published by security organizations only focused on one code execution method or a small subset of techniques used by one threat actor, making them ineffective in the next round of attacks. Attackers learn from defenders' public detections, so it is the defenders’ responsibility to produce robust detections that cannot be easily bypassed.
The vulnerability in PaperCut NG and MF offers multiple paths to code execution. VulnCheck researchers detail one such path that attackers can use to avoid existing detections based on incorrect assumptions by defenders. The researchers found that the PaperCut software offers a "User/Group Sync" interface that allows administrative users to specify a "Custom Program" to source and authenticate users. The user/auth programs can be any program on disk, and the attacker can provide a malicious username and password during a login attempt to execute arbitrary code.
The researchers developed proof-of-concept exploits for both Linux and Windows by setting the auth program to /usr/sbin/python3 and C:\Windows\System32\ftp.exe, respectively. The attack allows the attacker to establish reverse shells on both Windows and Linux targets without triggering any detections. This approach does not use a scripting interface, and therefore, this attack does not generate the expected log entries.
Existing detections published so far include detection via Sysmon, log file analysis, and network signatures. However, the detections offered up by Huntress and Sophos have been found to be insufficient. The Sysmon detections have been offered up by Huntress and Sophos, and both boil down to this: if pc-app.exe creates a child process called cmd.exe or powershell.exe, then an attacker is exploiting PaperCut NG/MF.