Iranian Threat Actors Exploit PaperCut Vulnerability

Microsoft revealed over the weekend that financially motivated actors are not the only ones exploiting a critical vulnerability in PaperCut print management software. Iranian state-sponsored threat actors Mango Sandstorm (also referred to as Mercury or Muddywater) and Mint Sandstorm (also known as Phosphorus or APT35) have also been found to be exploiting the vulnerability to gain access to networks controlled by businesses, local governments, and education and healthcare institutions.

According to tweets by the Microsoft Threat Intelligence team, the exploitation of PaperCut by Mint Sandstorm appears to be opportunistic, targeting organizations in various sectors and geographic locations. The exploitation activity linked to Mango Sandstorm is believed to be relatively low, with the state-sponsored group reportedly utilizing tools from previous intrusions to establish a connection to their command-and-control infrastructure.

As previously reported, the PaperCut vulnerability, named CVE-2023-27350, can allow unauthorized remote attackers to bypass authentication and execute arbitrary code with the privileges of the System user. It received a score of 9.8 out of 10 in terms of severity. While the vulnerability was promptly fixed in March, unpatched systems are still vulnerable. In late April, PaperCut issued a warning to its customers to update their installations immediately, as initial attacks were being reported targeting the vulnerability.

However, endpoint and response security firm Huntress cautioned that numerous PaperCut MF/NG deployments were still unpatched. Several days later, Microsoft disclosed that it had detected a Clop ransomware operator utilizing the vulnerability for several weeks.

On April 21st, the Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its catalog of actively exploited vulnerabilities. Federal agencies were also ordered to secure their PaperCut servers within three weeks, with a deadline of May 12th, 2023.

PaperCut's enterprise printing management software is used by large corporations, state organizations, and educational institutions worldwide. According to the developer, the software has over 100 million users across 70,000 companies.