PaperCut says hackers are exploiting ‘critical’ security flaws in unpatched servers

Print administration software program maker PaperCut says attackers are exploiting a critical-rated safety vulnerability to achieve entry to unpatched servers on buyer networks.

PaperCut gives two print administration merchandise, PaperCut NG and PaperCut MF, utilized by native governments, giant enterprises and healthcare and training establishments. PaperCut’s web site says it has over 100 million customers from greater than 70,000 organizations worldwide.

In an advisory final week, PaperCut stated {that a} crucial vulnerability it patched earlier in March was underneath lively assault towards machines that had but to put in the safety replace. The vulnerability, tracked as CVE-2023-27350, is scored 9.8 out of a attainable 10 in vulnerability severity because it might enable an unauthenticated attacker to remotely execute malicious code on a server without having credentials.

PaperCut additionally sounded the alarm a few separate however comparable flaw in its software program, tracked as CVE-2023-27351 with a vulnerability severity score of 8.2 out of 10. The bug permits hackers to extract details about customers saved inside a buyer’s PaperCut MF and NG servers, together with usernames, full names, e mail addresses, division data and cost card numbers related to the accounts.

“Each of those vulnerabilities have been mounted in PaperCut MF and PaperCut NG variations 20.1.7, 21.2.11 and 22.0.9 and later,” the corporate said. “We extremely advocate upgrading to one among these variations containing the repair.

Since PaperCut’s affirmation of in-the-wild assaults, cybersecurity firm Huntress stated it noticed hackers exploiting the vulnerabilities to plant reliable distant administration software program — Atera and Syncro — to backdoor unpatched servers. Huntress stated it has detected about 1,800 internet-exposed PaperCut servers.

Huntress stated that the attackers used the distant instruments to plant malware generally known as Truebot, which is commonly utilized by the Russia-backed Clop gang earlier than it deploys ransomware. Clop can also be believed to have used Truebot as a part of its mass-hack focusing on prospects of Fortra’s GoAnywhere file switch instrument.

“Whereas the final word purpose of the present exercise leveraging PaperCut’s software program is unknown, these hyperlinks (albeit considerably circumstantial) to a recognized ransomware entity are regarding,” Huntress wrote. “Doubtlessly, the entry gained by PaperCut exploitation could possibly be used as a foothold resulting in follow-on motion inside the sufferer community, and finally ransomware deployment.”

Huntress stated it created an unreleased proof-of-concept exploit to judge the menace posed by the 2 vulnerabilities. On Monday, researchers with automated pentesting agency Horizon3 released its personal proof-of-concept exploit code for the 9.8-rated vulnerability.

CISA added the highest-severity CVE-2023-27350 flaw to its checklist of actively exploited vulnerabilities on Friday, ordering federal businesses to safe their techniques towards ongoing exploitation inside three weeks by Might 12.