Threat Emulation: PaperCut

Welcome to the June 2023 #ThreatThursday! This month's plan is based on the PaperCut MF/NG vulnerability which allowed for unauthenticated remote code execution. Security researchers at Huntress were tracking post-exploitation activities within their partner environments and put together a nice write-up documenting their findings - check it out here!

PaperCut offers two print management products, PaperCut NG and PaperCut MF, and reports more than 100 million users from 70,000+ organizations worldwide. In April, PaperCut released an advisory noting that a critical vulnerability it patched in March 2023 was being actively exploited against machines that had yet to be updated. The vulnerability, tracked as CVE-2023-27350, is scored as a 9.8 out of 10 severity. This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914) and execute arbitrary code in the context of SYSTEM. Post-exploitation activity often resulted in PowerShell command execution to download remote monitoring software such as Atera, BITSadmin to download additional tools, and deployment of cryptominers.

Huntress notes that it has detected approximately 1,800 internet-exposed PaperCut servers and that they have observed the threat actors leveraging the deployed remote access tools to plant Truebot malware which has been linked to the Russian-backed Cl0p group. It logically follows that initial access obtained via PaperCut exploitation can be leveraged as a foothold leading to lateral movement within a victim network and ransomware deployment. Organizations using PaperCut are urged to ensure their systems are updated immediately.

SCYTHE Customers can read the full write-up and download this month’s plan in the customer portal.

Happy Hunting! : )