@ndma @ducklah 10 May 2023

Threat Actor

Unknown

Description

Cybersecurity researchers have found a way to exploit a recently disclosed critical flaw in PaperCut servers in a manner that bypasses all current detections.

Tracked as CVE-2023-27350 (CVSS score: 9.8), the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.

While the flaw was patched by the Australian company on March 8, 2023, the first signs of active exploitation emerged on April 13, 2023.

Since then, the vulnerability has been weaponized by multiple threat groups, including ransomware actors, with post-exploitation activity resulting in the execution of PowerShell commands designed to drop additional payloads.

The PoC exploit devised by VulnCheck banks on the auth program set as "/usr/sbin/python3" for Linux and "C:\Windows\System32\ftp.exe" for Windows. All an attacker then needs to execute arbitrary code is to provide a malicious username and password during a login attempt, the company said.

The attack method could be exploited to launch a Python reverse shell on Linux or download a custom reverse shell hosted on a remote server in Windows without activating any of the known detections.

"An administrative user attacking PaperCut NG and MF can follow multiple paths to arbitrary code execution," VulnCheck security researcher Jacob Baines pointed out.

"Detections that focus on one particular code execution method, or that focus on a small subset of techniques used by one threat actor are doomed to be useless in the next round of attacks. Attackers learn from defenders' public detections, so it's the defenders' responsibility to produce robust detections that aren't easily bypassed."

Reference

https://thehackernews.com/2023/05/researchers-uncover-new-exploit-for.html