Securing The Educational Sector Against PaperCut Vulnerability and Ransomware
On 19th April 2023, PaperCut released a Security alert stating, “We have evidence to suggest that unpatched servers are being exploited in the wild”. The advisory released by vendors provides insights into the two CVEs – CVE-2023-27350 (Severity: Critical) & CVE-2023-27351(Severity: High). Details for the same are provided below.
PaperCut MF or NG version 8.0 or later on all OS platforms.
This specific flaw exists within the SetupCompleted class. The issue results from improper access control. Attackers can potentially leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM.
Due to this vulnerability, remote attackers can even bypass authentication on vulnerable products. The severity of the vulnerability increases as exploitation can be performed remotely without needing authentication.
PaperCut MF or NG version 15.0 or later on all OS platforms.
This specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. Attackers can leverage this vulnerability to bypass authentication on the system.
We encourage users to apply the patch link provided by the official vendor.
While analyzing the affected version, Horizon3 researchers observed that this vulnerability exists due to Session Variable Overloading (also known as Session Puzzling).
“This vulnerability occurs when an application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another.”
In this case, an attacker can easily bypass authorization by navigating to
“[Victim IP]:[Port]/app?service=page/SetupComplete” and clicking Login.
As the vulnerability exploitation is quite simple, and the Proof of Concept has been released in the public domain, various Threat Actors (TAs) can soon exploit this vulnerability.
Cyble Research and Intelligence Labs (CRIL) observed that a “Telegram community” that promotes notorious hacktivist groups shared the Proof Of Concept (POC) on their channel (Figure-1). Since this Telegram community has multiple hacktivist groups and TAs as members, the vulnerability is prone to be exploited by attackers in the near future.
- TAs could change the predefined configuration of Print Management Software
- Remote Code Execution (RCE) is possible via the abuse of the “Scripting” functionality
- TAs can gain initial access as SYSTEM.
- Adversaries might establish their Command & Control infrastructure in the compromised system and perform post-exploitation activities
- TAs could gain a foothold in the victim’s network and perform lateral movement
- The exploitation of this vulnerability increases the likelihood of Ransomware attacks
Internet Exposure of PaperCut
As per an online scanner, there are approximately 1800 Internet-facing PaperCut Servers, where the majority of instances found were from organizations dealing in the Education Sector.
The figure below shows a geographical representation of the same.
The chart below shows the Top 5 Counties with the highest number of exposed assets.
Russian Hacker Suspected Exploiting the PaperCut Vulnerability
In the recent light of events, a blog published by Huntress mentions, “the adversary gains persistent remote access and code execution on the victim machine via the installed Atera remote management and maintenance (RMM) software & Syncro”.
The windowservicecemter[.]com domain was observed among the Indicators of Compromise (IoCs). Upon further investigation, this domain pointed towards upd488[.]windowservicecemter[.]com/download/ld.txt. Analyzing the file ‘Id.txt’, it was found that it is a Windows DLL – a Truebot malware variant, to be specific.
Truebot has connections to the entity Silence, which in turn is linked to the ransomware-related entity Clop Ransomware group. The same ransomware group claimed responsibility for exploiting GoAnywhere software as a precursor to ransomware attacks.
Concurrently, on 21st April 2023, a Reddit user also stated, “ Atera Agent and SplashTop Streamer were installed and were going to be the remote access agents.”
Cyble Research and Intelligence Labs (CRIL) has recently observed Threat Actors and Ransomware groups taking a particular interest in exploiting the latest vulnerabilities and zero-days as a springboard to launch their attacks, ranging from ransomware and information stealers to spyware and Trojans.
Additionally, the Cybersecurity & Infrastructure Security Agency (CISA) added the PaperCut vulnerability – CVE-2023-27350, in their Known Exploited Vulnerabilities (KEV) catalog on 21st April 2023, which highlights the threat this poses to users and also indicates the active exploitation of the PaperCut vulnerability.
Over the past few weeks, CRIL has analyzed and charted a surge in ransomware attacks directed at Educational institutions. Just 4 months into 2023, 67 institutions have been targeted by ransomware attacks, of which 35 were from the United States. Most of these attacks were launched by Russian-speaking TAs or groups, indicating this may be a consolidated, targeted effort from them.
As we stated earlier in our analysis, due to the exposure of PaperCut Servers from the Educational sector, ransomware operators are likelier to leverage this vulnerability in their attacks on this sector going forward.
We recommend urgently patching all vulnerable systems since all the vulnerabilities mentioned in this analysis fall under the ‘Critical” or ‘High’ severity categories.
- Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
- Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
- Keep critical assets behind properly configured and updated firewalls.
- We highly recommend locking down network access to the server(s), particularly if you have an older application that doesn’t have a minor patch available.
- Block all inbound traffic from external IPs to the web management port (Port 9191 and 9192 by default)
- Block all traffic inbound to the web management portal on the firewall to the server. Note: this will prevent lateral movement from internal hosts, but the PaperCut service management can only be performed on that asset.
- Apply “Allow list” restrictions under Options > Advanced > Security > Allowed site server IP addresses. Set this only to allow the IP addresses of verified Site Servers on your network.
Indicators of Compromise