US-CERT- Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG

Netwörkheäd · May 17, 2023, 06:01:49 AM

Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG

[html]

SUMMARY

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of https://nvd.nist.gov/vuln/detail/CVE-2023-27350" title="CVE-2023-27350">CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials. PaperCut released a patch in March 2023.

According to FBI observed information, malicious actors exploited CVE-2023-27350 beginning in mid-April 2023 and continuing through the present. In early May 2023, also according to FBI information, a group self-identifying as the Bl00dy Ransomware Gang attempted to exploit vulnerable PaperCut servers against the Education Facilities Subsector.

This joint advisory provides detection methods for exploitation of CVE-2023-27350 as well and indicators of compromise (IOCs) associated with Bl00dy Ransomware Gang activity. FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.

Download the PDF version of this report (653kb):

AA23-131A_Malicious_Actors_Exploit_CVE-2023-27350_in_PapercCut_MF_and_NG.pdf
(PDF, 652.93 KB
)

For a downloadable copy of IOCs (55kb), see:

AA23-131A.STIX_.XML
(XML, 54.98 KB
)

TECHNICAL DETAILS

Vulnerability Overview

https://nvd.nist.gov/vuln/detail/CVE-2023-27350" title="CVE-2023-27350">CVE-2023-27350 allows a remote actor to bypass authentication and conduct remote code execution on the following affected installations of PaperCut:[https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#product-status-and-next-steps" title="Product status and next steps">1]

Version 8.0.0 to 19.2.7

Version 20.0.0 to 20.1.6

Version 21.0.0 to 21.2.10

Version 22.0.0 to 22.0.8

PaperCut servers vulnerable to CVE-2023-27350 implement improper access controls in the SetupCompleted Java class, allowing malicious actors to bypass user authentication and access the server as an administrator. After accessing the server, actors can leverage existing PaperCut software features for remote code execution (RCE). There are currently two publicly known proofs of concept for achieving RCE in vulnerable PaperCut software:

Using the print scripting interface to execute shell commands.

Using the User/Group Sync interface to execute a living-off-the-land-style attack.

FBI and CISA note that actors may develop other methods for RCE.

The PaperCut server process pc-app.exe runs with SYSTEM- or root-level privileges. When the software is exploited to execute other processes such as cmd.exe or powershell.exe, these child processes are created with the same privileges. Commands supplied with the execution of these processes will also run with the same privileges. As a result, a wide range of post-exploitation activity is possible following initial access and compromise.

This CVE was added to CISA's https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">Known Exploited Vulnerabilities (KEV) Catalog on April 21, 2023.

Threat Actor Activity

Education Facilities Subsector entities maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers. In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Ultimately, some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files (see Figure 1).

*Figure 1: Example Bl00dy Gang Ransomware Note*

According to FBI information, legitimate remote management and maintenance (RMM) software was downloaded and executed on victim systems via commands issued through PaperCut's print scripting interface. External network communications through Tor and/or other proxies from inside victim networks helped Bl00dy Gang ransomware actors mask their malicious network traffic. The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.

DETECTION METHODS

Network defenders should focus detection efforts on three key areas:

Network traffic signatures – Look for network traffic attempting to access the SetupCompleted page of an exposed and vulnerable PaperCut server.

System monitoring – Look for child processes spawned from a PaperCut server's pc-app.exe process.

Server settings and log files – Look for evidence of malicious activity in PaperCut server settings and log files.

Network Traffic Signatures

To exploit CVE-2023-27350, a malicious actor must first visit the SetupCompleted page of the intended target, which will provide the adversary with authentication to the targeted PaperCut server. Deploy the following https://rules.emergingthreats.net/open/">Emerging Threat Suricata signatures to detect when GET requests are sent to the SetupCompleted page. (Be careful of improperly formatted double-quotation marks if copying and pasting signatures from this advisory.)

Note that some of the techniques identified in this section can affect the availability or stability of a system. Defenders should follow organizational policies and incident response best practices to minimize the risk to operations while threat hunting.