HQ/EMEAFind out how we can help your business
An active cybercriminal campaign has targeted the PaperCut vulnerability, a print management software, to deploy the Atera remote management software. Based on reports, the threat actors have exploited the new flaw to take over targeted devices.
Researchers confirmed two vulnerabilities in the current issue (CVE-2023-27350 and CVE-2023-27351). These bugs could allow attackers to bypass authentication and run malicious code on infected PaperCut servers with SYSTEM-level privileges. Moreover, the attack process is straightforward and does not require user interaction.
The PaperCut vulnerability could affect numerous hosts as it is a well-known software.
A recent tally showed that more than 1,000 Windows installed the software: hence, the PaperCut vulnerability could be within many versions across numerous organisations.
In addition, three macOS hosts with PaperCut server installed appeared after the recent vulnerability announcement. Two of the hosts are operating a vulnerable version. Furthermore, at least 1,800 PaperCut servers are publicly accessible despite being intended for exclusive internal use.
According to investigations, threat actors initially deploy legitimate RMM apps such as Syncro and Atera to establish persistent access to a flawed system. After studying a domain that participated in the recent attacks, more research also discovered a Windows DLL linked with a variant of the Truebot malware.
Truebot is a post-exploitation device that a notorious group used in a different attack. The group is allegedly affiliated with the Russian hacking group TA505 and the Cl0p ransomware campaigns.
The potential involvement of notorious ransomware groups in the PaperCut software vulnerability could significantly threaten numerous organisations. A recent study of flawed PaperCut servers discovered that threat actors could bypass authentication by accessing the ‘SetupCompleted’ page.
This detail shows that an attacker could log in as an admin without proper credentials and execute alterations within the infected system to disable security measures and deploy additional attacks.
As of now, cybersecurity experts suggest that organisations use PaperCut version 20.1.7, 21.2.11, or 22.0.9 to prevent exploits from malicious actors. Lastly, the affected software admins provided workarounds for users unable to update their software immediately.
