Microsoft has recently revealed that the Clop and LockBit ransomware gangs are responsible for the attacks on PaperCut servers, exploiting vulnerabilities to steal corporate data. In April, two vulnerabilities, CVE-2023-27350 and CVE-2023-27351, were fixed in the PaperCut Application Server, which allowed remote attackers to perform unauthenticated remote code execution and information disclosure.
Targets Papercut Servers
PaperCut disclosed on April 19th that these flaws were actively exploited in the wild and urged administrators to upgrade their servers to the latest version. A Proof of Concept (PoC) exploit for the remote code execution (RCE) flaw was released shortly after, enabling more threat actors to breach the servers using these exploits.
The vulnerabilities were as follows:
- CVE-2023–27350 / ZDI-CAN-18987 / PO-1216: Vulnerability that allows remote code execution without authentication. Affects PaperCut MF or NG versions 8.0 or later on all operating system platforms, for both application and site servers. (CVSS v3.1 score: 9,8 – critical)
- CVE-2023–27351 / ZDI-CAN-19226 / PO-1219: Enables information disclosure and affects PaperCut MF or NG versions 15.0 or later on all operating system platforms for application servers. (CVSS v3.1 Rating: 8,2 – high)
Microsoft further reported that a Cobalt Strike beacon was deployed and used to spread laterally through the network, stealing data using the MegaSync file-sharing application. In addition to Clop, Microsoft says some intrusions have led to LockBit ransomware attacks, although it’s unclear if these attacks began after the exploits were publicly released.
Microsoft recommends that administrators apply the available patches as soon as possible, as other threat actors will likely begin exploiting the vulnerabilities.