Researchers first disclosed the infamous PaperCut flaw (CVE-2023-27350) in March, warning organizations that it could allow attackers to execute arbitrary code through PaperCut’s built-in scripting interface. Over the next couple of weeks multiple PoC exploits were released, enabling multiple attackers to target potential victims. To confirm the severity of the situation, Microsoft disclosed that Cl0p and LockBit gang were found leveraging the flaw to gain initial access to organizations’ networks.s
Since then, multiple security companies have released distinct detection rules to help organizations identify IOCs for PaperCut exploits. However, the troubles arising from the PaperCut vulnerability appear far from over as new research unearthed a new attack method that bypasses all the existing detection rules.
Here’s what happened
- Security experts at VulnCheck published a PoC exploit that sidesteps the existing detection rules by leveraging the fact that PaperCut NG and MF offer multiple paths to code execution.
- It was found that the newly created PoC exploit beats Sysmon, log files, and network signature detection rules without triggering any alarms.
Exploit process
- The PoC exploit uses "/usr/sbin/python3” for Linux and “C:\Windows\System32\ftp.exe” for Windows.
- This enables the attackers to perform code execution in the credentials as they attempt to log in.
- The attack method could also enable attackers to launch a Python reverse shell on Linux or download a custom reverse shell hosted on a remote server in Windows.
Recommendations
The best way to deal with this threat is by deploying recommended security updates. These include updating to PaperCut MF/ NG versions 20.1.7, 21.2.11, 22.0.9, or later. As researchers warn that hackers are closely monitoring the detection methods employed by defenders to adjust their attacks, organizations must implement robust security measures to thwart these attacks at any stage.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f4d7_shutterstock_1242117157_2.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0e95_shutterstock_2272706843.jpg)
