Ransomware Gangs Exploit PaperCut Vulnerabilities

PaperCut, a popular print management software, has suffered from severe security vulnerabilities in recent months that have been used to deploy ransomware attacks. The software is used by local governments, large companies, and education and healthcare institutions.

PaperCut released a statement on April 19th advising customers to update to the latest version of their software and to ensure that their systems are fully patched and up to date in order to prevent further attacks.

One of the vulnerabilities, identified as CVE-2023-27350, has been scored 9.8 out of 10 in severity, indicating that an unauthenticated attacker could execute malicious code on a server remotely without the need for credentials.

The company also identified the flaw, CVE-2023-27351, which holds a severity rating of 8.2 out of 10. The bug enables attackers to extract data from PaperCut servers belonging to customers, including but not limited to usernames, full names, email addresses, department information, and payment card numbers associated with the accounts.

Both vulnerabilities have been fixed by recent patches, but many organizations are yet to apply the vital updates, leaving them vulnerable to attack.

In a recent statement to BleepingComputer, the Clop ransomware gang claimed responsibility for attacks on PaperCut servers, which they’ve allegedly been exploiting since April 13th. They said that they used the vulnerabilities to gain access to networks, rather than steal documents from the servers themselves. The group recently exploited zero-day vulnerabilities in the GoAnywhere secure file-sharing platform to steal the data of 130 organizations.

In addition to Clop, Microsoft also stated that some exploitations of these vulnerabilities have led to the deployment of malware linked with Lockbit, another prolific ransomware gang.

Huntress, a cybersecurity firm, has reported that it has observed hackers exploiting the vulnerabilities to implant remote management software such as Atera and Syncro to backdoor unpatched servers. Huntress has identified around 1,800 PaperCut servers that are exposed to the internet, leaving them vulnerable.

The Cybersecurity and Infrastructure Security Agency included the most severe CVE-2023-27350 flaw in its list of vulnerabilities that are being actively exploited. Federal agencies have been instructed to secure their systems against ongoing exploitation within three weeks, by May 12th.