Print management software provider PaperCut said that it has “evidence to suggest that unpatched servers are being exploited in the wild,” citing two vulnerability reports from cybersecurity company Trend Micro.
“PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01:29 AEST / 13th April 15:29 UTC,” it further added.
The update comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical improper access control flaw (CVE-2023-27350, CVSS score: 9.8) in PaperCut MF and NG to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
Cybersecurity company Huntress, which found about 1,800 publicly exposed PaperCut servers, said it observed PowerShell commands being spawned from PaperCut software to install remote management and maintenance (RMM) software like Atera and Syncro for persistent access and code execution on the infected hosts.
Additional infrastructure analysis has revealed the domain hosting the tools – windowservicecemter[.]com – was registered on April 12, 2023, also hosting malware like TrueBot, although the company said it did not directly detect the deployment of the downloader.
TrueBot is attributed to a Russian criminal entity known as Silence, which in turn has historical links with Evil Corp and its overlapping cluster TA505, the latter of which has facilitated the distribution of Cl0p ransomware in the past.
“While the ultimate goal of the current activity leveraging PaperCut’s software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning,” Huntress researchers said.
“Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment.”
Users are recommended to upgrade to the fixed versions of PaperCut MF and NG (20.1.7, 21.2.11, and 22.0.9) as soon as possible, regardless of whether the server is “available to external or internal connections,” to mitigate potential risks.
Customers who are unable to upgrade to a security patch are advised to lock down network access to the servers by blocking all inbound traffic from external IPs and limiting IP addresses to only those belonging to verified site servers.