PaperCut has recently reported that the company’s application servers are vulnerable to a critical RCE flaw known as CVE-2023-27350, with a CVSS of 9.8. As a response to a growing number of exploitation attempts, CISA added the discovered bug to its Known Exploited Vulnerabilities (KEV) catalog.
Proactive detection of vulnerability exploitation has remained one of the top content priorities since 2021 due to a growing number of discovered CVEs compromising widely used software solutions and actively leveraged in in-the-wild attacks. With the critical PaperCut CVE-2023-27350 flaw actively exploited in the wild, cyber defenders are looking for ways to timely identify the infection. SOC Prime team has recently released a new Sigma rule, which identifies possible authentication bypass attempts in PaperCut print management software related to the CVE-2023-27350 exploitation patterns:
Possible PaperCut CVE-2023-27350 Exploitation Attempt (via webserver)
This Sigma rule is aligned with the MITRE ATT&CK v12 framework addressing the Initial Access tactic with the corresponding Exploit Public-Facing Application (T1190) technique and can be applied across industry-leading SIEM, EDR, XDR, and BDP solutions.
To always keep up with an avalanche of critical vulnerabilities weaponized by attackers and exposing organizations to severe threats, SOC Prime enables cyber defenders to instantly reach relevant detection content and risk-optimize their cybersecurity posture. Click the Explore Detections button below to gain access to the comprehensive collection of Sigma rules for CVE detection enriched with CTI and ATT&CK references and other relevant cyber threat context for streamlined threat investigation.
PaperCut MF/NG is a popular print management system with 100M+ active users from 70K+ organizations globally. In January 2023, cybersec researchers revealed and reported a bug (CVE-2023-27350) enabling unauthenticated hackers to achieve remote code execution (RCE) on PaperCut Application Server. Although the bug was immediately patched by the vendor, the ongoing observations point that many PaperCut servers remain susceptible to attacks, with lots of in-the-wild exploitations observed to date.
The security gap in the limelight stems from an improper access control gap in the SetupCompleted class of PaperCut MF/NG. If successfully exploited, the flaw enables adversaries to bypass authentication and execute arbitrary code with the System privileges remotely.
PaperCut MF/NG versions 8.0 and later confirmed to be affected, and the security issue was addressed in March 2023 with the release of versions 20.1.7, 21.2.11, and 22.0.9. Users are prompted to update their instances ASAP to prevent possible attacks against their infrastructure.
Recently Horizon3 issued a public analysis of the notorious flaw accompanied by a PoC exploit. With this PoC at hand, attackers might gain RCE by abusing built-in “Scripting” functionality for printers. Additionally, researchers from Huntress analyzed the security gap and are about to release a demo video of another PoC.
The analysis by Huntress also points out that Clop ransomware operators are possibly linked to the latest cyber attacks relying on the critical PaperCut bug. Specifically, the analyzed attack kill chain presumes using CVE-2023-27350 to execute PowerShell and install Atera & Syncro remote management software. The intrusions relied on windowservicecenter.com domain, the same one hosting and dropping TrueBot downloader frequently leveraged to deliver Clop ransomware.
In view of the significant threat posed by this vulnerability, CISA has added CVE-2023-27350 to its KEV Catalog and urged federal agencies to patch their instances by May 12, 2023.
Rely on SOC Prime to be fully equipped with detection content for any exploitable CVE and any TTP used in cyber attacks. Gain access to 800+ rules for emerging and established vulnerabilities to instantly identify malicious behavior and timely remediate the threats. Get 140+ Sigma rules for free at https://socprime.com/ or reach the entire list of relevant detection algorithms by choosing the On Demand subscription tailored to your security needs at https://my.socprime.com/pricing/.