Education institutions under threat as PaperCut software is actively abused by various cybercriminals.
In a recent development, a potential cybersecurity threat has been identified in the popular print management software, PaperCut. The vulnerability, identified as CVE-2023-27350, has been actively exploited since mid-April, according to researchers at Huntress.
The earliest signs of suspicious activity linked to this vulnerability were detected on a customer server on April 14. This was followed by a reported incident on April 18, when a customer notified PaperCut about suspicious activity on their server.
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory regarding the active exploitation of unpatched versions of PaperCut. The advisory highlights that multiple threat actors, including Lace Tempest, a financially motivated group, and Iranian state-sponsored threat actors Mint Sandstorm and Mango Sandstorm, have been tracked exploiting this vulnerability.
Notably, a ransomware group identifying itself as Bl00dy Ransomware Gang attempted to exploit vulnerable PaperCut servers against the education facilities sector in early May, as warned by Microsoft Threat Intelligence in a tweet on May 5.
PaperCut, a company with over 100 million users across 70,000 organizations globally, released a patch for the vulnerability in March. However, it appears that many organizations have yet to apply the patch, making them vulnerable to attacks.
Education is a key market for PaperCut, and it's concerning that this vulnerability could potentially put educational institutions at risk. The joint advisory issued by the FBI and CISA includes detection methods and indicators of compromise to help administrators secure their systems.
The vulnerability allows a threat actor to bypass authentication and initiate remote-code execution on a PaperCut application server. This underscores the importance of promptly applying patches or workarounds, as advised by federal agencies.
At this point, it's important to note that beyond Bl00dy Ransomware Gang, Lace Tempest, Mango Sandstorm, and Mint Sandstorm, no other organizations or individuals have been publicly confirmed to have exploited the vulnerability in outdated versions of PaperCut print management software.
As always, vigilance and prompt action are key in maintaining cybersecurity. It's recommended that all PaperCut users review the advisory and take necessary steps to secure their systems.
