Ultimately, some of these operations led to data exfiltration and encryption of victim systems. In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Threat Actor ActivityĮducation Facilities Subsector entities maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers. This CVE was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on April 21, 2023. As a result, a wide range of post-exploitation activity is possible following initial access and compromise. Commands supplied with the execution of these processes will also run with the same privileges. When the software is exploited to execute other processes such as cmd.exe or powershell.exe, these child processes are created with the same privileges. The PaperCut server process pc-app.exe runs with SYSTEM- or root-level privileges. Using the User/Group Sync interface to execute a living-off-the-land-style attack.įBI and CISA note that actors may develop other methods for RCE.Using the print scripting interface to execute shell commands.There are currently two publicly known proofs of concept for achieving RCE in vulnerable PaperCut software: After accessing the server, actors can leverage existing PaperCut software features for remote code execution (RCE). ![]() PaperCut servers vulnerable to CVE-2023-27350 implement improper access controls in the SetupCompleted Java class, allowing malicious actors to bypass user authentication and access the server as an administrator. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.ĭownload the PDF version of this report (653kb):ĬVE-2023-27350 allows a remote actor to bypass authentication and conduct remote code execution on the following affected installations of PaperCut: FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA. ![]() FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. This joint advisory provides detection methods for exploitation of CVE-2023-27350 as well and indicators of compromise (IOCs) associated with Bl00dy Ransomware Gang activity. ![]() In early May 2023, also according to FBI information, a group self-identifying as the Bl00dy Ransomware Gang attempted to exploit vulnerable PaperCut servers against the Education Facilities Subsector. ![]() PaperCut released a patch in March 2023.Īccording to FBI observed information, malicious actors exploited CVE-2023-27350 beginning in mid-April 2023 and continuing through the present. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials. The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |