PaperCut vulnerability is a flaw in widely-used printing management software that allows an unauthenticated actor to execute arbitrary code, gain SYSTEM privileges, and obtain sensitive personal information stored in company servers.
Microsoft’s threat intelligence team reports that two Iranian state-sponsored hacking groups are actively exploiting a vulnerability discovered in a widely used printing management software, PaperCut. Government agencies, educational institutions, and large-scale organizations worldwide are among the leading users of PaperCut.
About the Hackers
Two prominent Iranian hacking groups are observed exploiting this vulnerability. Mango Sandstorm is affiliated with the country’s Ministry of Intelligence and Security (MOIS). The other group, Mint Sandstorm is linked with the Islamic Revolutionary Guard Corps (IRGC). This exploitative activity seems “opportunistic,” claims Microsoft, and impacts organizations across diverse sectors and regions.
Vulnerability Found in PaperCut Actively Exploited by Hackers
According to Microsoft’s report, Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) are exploiting the PaperCut vulnerability (tracked as CVE-2023-27350 with a CVSS score of 9.8) for initial access in their attacks.
It indicates that Mint Sandstorm is continually working towards incorporating PoC exploits in their operations, whereas Mango Sandstorm’s exploitation activities are considerably low. These actors are targeting companies using unpatched versions of the printing software.
“We have evidence to suggest that unpatched servers are being exploited in the wild,” Microsoft noted.
On Friday, Microsoft said two nation-state actors they call Mint Sandstorm and Mango Sandstorm have been attacking companies running unpatched versions of PaperCut software, which is used widely by government agencies, universities, and large companies around the world.
More actors are exploiting unpatched CVE-2023-27350 in print management software Papercut since we last reported on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350.
— Microsoft Threat Intelligence (@MsftSecIntel) May 5, 2023
When was it Discovered?
The flaw was disclosed by Trend Micro Zero Day Initiative (ZDI) on March 8. The company published an urgent update to its advisory, urging organizations running PaperCut to install the patch. Since the publishing of this advisory, many ransomware groups began to exploit it, including LockBit and Clop.
The attack spree comes after Microsoft reported the activities of the Lace Tempest cybercrime group in abusing this flaw to distribute LockBit and Cl0p ransomware. The flaw was identified in PaperCut NG and MF installations. Trend Micro says it will release more details about the vulnerability on May 10.
What are the Dangers Associated with this Vulnerability?
An unauthenticated actor can easily exploit to execute arbitrary code as they will gain SYSTEM privileges. Hackers can gain remote access to their victims’ systems and obtain sensitive personal information, including usernames, full names, payment card numbers linked with the account, and email IDs, usually stored in company servers.
CISA (Cybersecurity and Infrastructure Security Agency) added it to its list of exploited flaws last month and has given May 12, 2023 deadline to federal civilian agencies to install the patch.
RELATED NEWS
- Hacker takes over thousands of Printers; sends alerts to users
- Spoofed Emails from Corporate Printer Vendors Install Backdoor
- Hackers can conduct DoS attacks Using Flaw in Brother Printers
- HP Bug Bounty Program: Hack HP Printers & Earn Up To $10,000
- 28K exposed printers hacked to underline lack of printer security