Tuesday, 09 May 2023 11:37

More Threat Groups Pile onto PaperCut Vulnerability Including State-Sponsored Ones

Written by

Reading time is around minutes.

In January of 2023 the Print Management Software company PaperCut was advised of two Remote Code Execution (RCE) bugs. These bugs were in their PaperCut MF and PaperCut NG software products. PaperCut worked with the group that identified the bugs, TrendMicro, to develop a patch prior to disclosure of the flaw. The patch was made available to PaperCut clients on March 8th and the vulnerability was disclosed on April 20th. However, as is the case with things like this, the patches were not rolled out as one would have hoped.

Instead, far too many customers did not patch and now those same vulnerabilities are being exploited in the wild by multiple groups, according to Microsoft and other researchers following the bugs. So far Microsoft has observed the Lance Tempest cybercrime group using the flaw to send out ransomware like Cl0p and LockBit. Now they are seeing groups like Mango Sandstorm and Mint Sandstorm jump on the band wagon for some of the fun. Mango Sandstorm has been linked to the Iranian MOIS (Ministry of Intelligence and Security), while Mint Sandstorm is linked to the Islamic Revolutionary Guard Corps (IRGC). Seeing these two groups involved could mean that these new attacks are part of an ongoing campaign which used both cyber attacks and influence (social media etc.) operations to make geopolitical changes in the region.

These flaws, left unpatched, represent a significant threat to organizations. The rapid move from disclosure to exploitation could mean a couple of things, either threat groups knew about these flaws and know they have a small window to utilize them before they are patched, or their development teams and timelines are more sophisticated that originally thought. The former is worrisome while the latter much more concerning. It means that the usually anticipated time to remediate is significantly shorter than most organizations can meet, even for a critical vulnerability. Consider the fact that one of the bugs (CVE-2023-27350) allows for arbitrary code execution as SYSTEM and there are groups that have still not patched it.

Organizations should be looking to improve their exposure identification and remediation programs to stay ahead of these types of flaws. The mean time to remediate needs to be trimmed down quite a bit as well especially now that we know just how quickly threat actors can mobilize and get their own tools ready to take advantage of the right flaw. Happy patching.

Read 398 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.