Exploit code for a critical printer software vulnerability became publicly available on Monday in a release that may exacerbate the threat of malware attacks that have already been underway for the past five days.
The vulnerability resides in print management software known as PaperCut, which the company’s website says has more than 100 million users from 70,000 organizations. When this post went live, the Shodan search engine showed that close to 1,700 instances of the software were exposed to the Internet.
Last Wednesday, PaperCut warned that a critical vulnerability it patched in the software in March was under active attack against machines that had yet to install the March update. The vulnerability, tracked as CVE-2023–27350, carries a severity rating of 9.8 out of a possible 10. It allows an unauthenticated attacker to remotely execute malicious code without needing to log in or provide a password. A related vulnerability, tracked as CVE-2023–27351 with a severity rating of 8.2, allows unauthenticated attackers to extract usernames, full names, email addresses, and other potentially sensitive data from unpatched servers.
Two days after PaperCut revealed the attacks, security firm Huntress reported that it found threat actors exploiting CVE-2023-27350 to install two pieces of remote management software—one known as Atera and the other Syncro—on unpatched servers. Evidence then showed that the threat actor used the remote management software to install malware known as Truebot. Truebot is linked to a threat group known as Silence, which has ties with the ransomware group known as Clop. Previously Clop used Truebot in in-the-wild attacks that exploited a critical vulnerability in software known as GoAnywhere.
“While the ultimate goal of the current activity leveraging PaperCut’s software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning,” Huntress researchers wrote in their report on Friday. “Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment.”
Huntress provided a broad description of the vulnerabilities and how to exploit them. It also published the video below showing an exploit in action. The company, however, didn’t release the exploit code.
The exploit works by adding malicious entries to one of the template printer scripts that are present by default. By disabling security sandboxing, the malicious script can gain direct access to the Java runtime and, from there, execute code on the main server. “As intended, the scripts contain only functions which serve as hooks for future execution, however the global scope is executed immediately upon saving, and therefore a simple edit of a printer script can be leveraged to achieve Remote Code Execution,” Huntress explained.
On Monday, researchers with security firm Horizon3 published their analysis of the vulnerabilities, along with proof-of-concept exploit code for the more severe one. Similar to the PoC exploit described by Huntress, it uses the authentication bypass vulnerability to tamper with the built-in scripting functionality and execute code.
On Friday, Huntress reported there were roughly 1,000 Windows machines with PaperCut installed in the customer environments it protects. Of those, roughly 900 remained unpatched. Of the three macOS machines it monitored, only one was patched. Assuming the numbers are representative of PaperCut’s larger install base, the Huntress data suggests that thousands of servers remain under threat of being exploited. As noted earlier, close to 1,700 servers are easy to find exposed to the Internet. Additional sleuthing might be able to find more still.
Any organization using PaperCut should ensure it’s using PaperCut MF and NG versions 20.1.7, 21.2.11, and 22.0.9. PaperCut and Huntress also provide workarounds for organizations that aren’t able to update right away. Huntress and Horizon3 also provide indicators PaperCut users can check to determine if they have been exposed to exploits.