June Update: The Escalation of the PaperCut Vulnerability Campaign 

Executive Summary 

Over the past two months, the Cyberint research team has witnessed an extensive campaign in which threat actors are actively exploiting the recently discovered vulnerability in the PaperCut print management platform. The Cyberint research team has identified a significant trend in relation to these recent attacks and associated incidents linked to this vulnerability. 

Multiple threat actors are specifically focusing their efforts on targeting the education sector, resulting in a significant surge in attacks within this industry, with the occurrence rate escalating by several hundred percent in recent times. 

This report provides a comprehensive overview of two vulnerabilities found in the PaperCut software: CVE-2023-27350 and CVE-2023-27351. It delves into the potential consequences of these vulnerabilities and highlights the threat actors who have taken advantage of them, including notable ransomware groups such as LockBit, Bl00dy, and Clop.  Furthermore, the report includes recommendations for mitigation that affected organizations can adopt to effectively address these vulnerabilities. 

What Is PaperCut? 

PaperCut is a comprehensive print management software that enables organizations to manage their printing environments effectively. It encompasses a variety of features, such as print job tracking, quotas, rules-based printing, and cost accounting. PaperCut supports both on-premise and cloud deployments and is compatible with a wide array of printers and operating systems. 

PaperCut offers clients a range of products, including the distinct print management solutions known as PaperCut NG and PaperCut MF. These products are utilized by local governments, large enterprises, healthcare institutions, and educational organizations. PaperCut’s website states that its software has garnered an extensive user base of over 100 million individuals across more than 70,000 organizations worldwide. 

The Papercut Vulnerabilities  

On March 8th, PaperCut released new versions of their enterprise print management software which encompassed fixes for two vulnerabilities: CVE-2023-27350 and CVE-2023-27351. These vulnerabilities were reported to the company in early January, prompting the necessary fixes to ensure the security of their products.  

 CVE-2023-27350 

CVE-2023-27350, which was reported by the Zero Day Initiative, pertains to a critical vulnerability found in both PaperCut MF and NG installations. This flaw can be exploited by an unauthorized attacker to execute arbitrary code with SYSTEM privileges, making it highly impactful.  

Due to its severity and ease of exploitation, it has received a CVSS severity score of 9.8 and the highest CVE score on the Argos CVE intel module, reaching -10.  

The exploit takes advantage of manipulating the default template printer scripts by introducing malicious entries. By bypassing security sandboxing, the malicious script gains direct access to the Java runtime, enabling the execution of code on the main server.  

Although the scripts primarily contain functions intended for future execution, the global scope executes immediately upon saving. This means that a simple alteration of a printer script can be leveraged by a threat actor to execute arbitrary code, leading to Remote Code Execution. 

Exploiting the vulnerability in PaperCut could serve as an entry point for further activities within the target network. This could involve unauthorized movement within the network, unauthorized access to sensitive data, manipulation of data, the establishment of persistent backdoors for future access, and even the deployment of ransomware. 

CVE-2023-27351 

PaperCut also raised concerns regarding a similar vulnerability in its software, CVE-2023-27351, with a vulnerability severity rating of 8.2 out of 10. This particular bug enables Threat Actors to retrieve user information stored within PaperCut MF and NG servers belonging to customers.  

The compromised data includes usernames, full names, email addresses, department details, and payment card numbers linked to the affected accounts. 

Although CVE-2023-27351 has been published alongside CVE-2023-27350 and has also been exploited already, this report will primarily focus on CVE-2023-27350 due to its higher level of criticality and risk. 

Papercut Vulnerability Exploitation Timeline 

After disclosing CVE-2023-27350, Shodan detected approximately 1,800 publicly exposed PaperCut servers. However, Cyberint’s recent findings indicate evidence of approximately 700 exposed servers as of today. 

This CVE is easy to exploit and has already been observed in the wild, associated with ransomware attacks by notorious ransomware groups such as Bl00dy, Clop, and LockBit. 

While PaperCut officially acknowledged the active exploitation and issued a notification on April 19, Cyberint found evidence indicating that the exploitation had begun as early as April 13. Notably, most targeted victims belong to the education sector, which comprises a significant portion of PaperCut’s customer base. Below, we will outline the schedule for the sequence of events related to CVE-2023-27350: 

Surprising Exploitation Simplicity of the Papercut Vulnerability

As previously mentioned, a simple search on Shodan revealed around 1800 potentially vulnerable PaperCut servers when the vulnerability was initially detected. The ease of finding potential victims is attributed to PaperCut’s front-facing interface, making it susceptible to exploitation even by less sophisticated threat actors.  

Moreover, proof-of-concept (POC), demonstrations, and guidance of the vulnerability are very easy to find in the deep and dark web (Figure 2). 

In addition, Cyberint identified extensive chatter around this issue (Figure 3) which also led to the conclusion that this vulnerability is fairly easy to exploit. 

To date, Cyberint has identified approximately 700 potentially vulnerable PaperCut servers, with 35% of them belonging to the education sector. Despite the critical nature of the vulnerability and its awareness within the cybersecurity community, it appears that many educational institutions have not yet patched and updated their PaperCut systems.

This raises concerns about the security maturity level within the sector, especially considering the ongoing cyber-attacks targeting educational organizations. The educational sector has suffered an increase in ransomware cases in the past six months, partially due to the discovery of this vulnerability. 

 Even if all education organizations eventually patch the vulnerability, the longer it takes, the more time it provides for threat actors to exploit it. It’s crucial to note that even after patching and updating PaperCut if a system was already infected prior to the patch, a threat actor may have already gained access to sensitive data and systems.  

The factors mentioned above, including the simplicity of finding vulnerable victims and exploitability of the vulnerability (Figure 4,5), the presence of valuable and sensitive data in vulnerable systems, and the potentially devastating consequences of its exploitation, collectively attract the attention of all kinds of threat actors. 

The Papercut Vulnerability Campaign’s Threat Actors 

 Among the ransomware and threat actors groups that have exploited this vulnerability, notable examples include LockBit, Bl00dy, Cl0p, MuddyWater, and Phosphorus. These groups stand out for quickly embracing CVEs as part of their attack strategies. They exhibit a remarkable capacity to swiftly integrate POCs (proof-of-concept) exploits into their operations, showcasing their agility and adaptability. This demonstrates their deep understanding of emerging vulnerabilities and their proactive approach to leveraging them for malicious purposes. 

 In the last six months, the Cyberint research team has observed a surge in attacks targeting the education sector, with specific references to the PaperCut environment in ransomware attacks that happened before the CVE was published. Since December 2022 there has been a 178% increase in ransomware attacks targeting educational institutions. This alarming trend suggests that threat actor groups may have exploited this vulnerability prior to its official disclosure. 

LockBit 

The LockBit Ransomware Group initially emerged in September 2019. With the shutdown of the Conti Group, LockBit became the most prominent ransomware group in 2022 and continues to maintain its position as one of the most active groups to date.   

Since the beginning of 2023, LockBit recorded over 422 publicly announced cases and over 1700 victims in total, setting their position as a significant threat in the cybersecurity landscape.  

LockBit primarily focuses on US and European victims, specifically targeting manufacturing, services, retail, education sectors, and more. 

The Cyberint research team was able to find evidence that strongly suggests that the LockBit ransomware group has been actively capitalizing on the vulnerabilities to execute a PowerShell script, ultimately resulting in the deployment of the LockBit ransomware.   

Clop 

Originating in Russia, the Clop ransomware group, also known as Cl0p, emerged in February 2019. It has been actively focusing on a broad range of sectors globally, including retail, transportation, education, manufacturing, automotive, energy, financial, telecommunications, and healthcare.  

Clop currently ranks as the second most active ransomware group worldwide in Q1, consistently compromising new victims every week.  

Clop ransomware group claims to have initiated the exploitation of PaperCut servers on April 13th. Clop’s primary objective was gaining initial access to corporate networks rather than extracting archived documents from the servers. 

 Before deploying ransomware, Clop employed remote tools to implant Truebot malware, a known tool used by the gang. Truebot has also been associated with Clop’s mass hack targeting Fortra’s GoAnywhere file transfer tool.  

Considering how Clop takes advantage of this vulnerability and looking at previous instances where the group has utilized 0-day exploits like the recent GoAnywhere vulnerability (CVE-2023-0669) and others, Clop has adopted CVEs as their modus operandi. When compared to other ransomware groups, it seems that Clop’s primary focus is exploiting vulnerabilities rather than relying on alternative methods. 

Bl00dy Ransomware

The Bl00dy ransomware group initiated its operations in May 2022 and has since targeted well-known organizations across various industries using double extortion techniques.  

Bl00dy gang encrypts files on the victim’s machine and adds the “.bl00dy” extension to the encrypted files. The gang creates a ransom note on the compromised system. The group has been observed using Conti’s ransomware modules. 

In early May 2023, US cybersecurity and intelligence agencies issued a joint advisory warning of targeted attacks carried out by the Bl00dy Ransomware Gang on the education facilities sector in the country. Bl00dy specifically exploited vulnerable PaperCut servers within the Education Facilities Subsector, exposing them to the internet. 

As a result of these attacks, the Bl00dy Ransomware Gang gained unauthorized access to victim networks, leading to data exfiltration and encryption of system files. Bl00dy left ransom notes on compromised systems, demanding payment in exchange for decrypting the encrypted files.