Microsoft has revealed that Iranian state-backed hacking groups have joined the ongoing attack spree targeting vulnerable PaperCut MF/NG print management servers. The groups involved are tracked as Mango Sandstorm (aka Mercury or Muddywater and linked to Iran's Ministry of Intelligence and Security) and Mint Sandstorm (also known as Phosphorus or APT35 and tied to Iran's Islamic Revolutionary Guard Corps). Microsoft's Threat Intelligence team stated, "The PaperCut exploitation activity by Mint Sandstorm appears opportunistic, affecting organizations across sectors and geographies." They also noted that the observed CVE-2023-27350 exploitation activity by Mango Sandstorm remains low, with operators using tools from prior intrusions to connect to their C2 infrastructure.
This follows attacks linked to Lace Tempest by Microsoft, a hacking group whose malicious activity overlaps with the FIN11 and TA505 cybercrime gangs connected to the Clop ransomware operation. Microsoft also discovered that some intrusions led to LockBit ransomware attacks but could not provide more information when asked to share additional details. The Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2023-27350 bug to its catalog of actively exploited vulnerabilities on April 21, ordering federal agencies to secure their PaperCut servers within three weeks by May 12, 2023.
The exploited PaperCut vulnerability, tracked as CVE-2023-27350, is a pre-authentication critical remote code execution bug in PaperCut MF or NG versions 8.0 or later. This enterprise printing management software is used by large companies, state organizations, and education institutes worldwide, with PaperCut's developer claiming more than 100 million users from over 70,000 companies. Security researchers released PoC exploits for the RCE bug soon after the initial disclosure in March 2023, with Microsoft warning several days later that the vulnerability was being used for initial access to corporate networks by the Clop and LockBit ransomware gangs.
While multiple cybersecurity companies have released indicators of compromise and detection rules for PaperCut exploits, a new attack method was shared last week that can bypass existing detections, allowing attackers to keep exploiting CVE-2023-27350 unobstructed. A vulnerability researcher said, "Detections that focus on one particular code execution method, or that focus on a small subset of techniques used by one threat actor are doomed to be useless in the next round of attacks." The researcher also emphasized that attackers learn from defenders' public detections, so it's the defenders' responsibility to produce robust detections that aren't easily bypassed.
Defenders are urged to immediately upgrade their PaperCut MF and PaperCut NG software to versions 20.1.7, 21.2.11, and 22.0.9 and later, which address this RCE bug and remove the attack vector.