On April 19, 2023, PaperCut confirmed print management servers vulnerable to a critical remote code execution vulnerability (CVE-2023-27350: CVSS 9.8) are being actively exploited by threat actors. CVE-2023-27350 could allow unauthenticated threat actors to bypass authentication and execute arbitrary code in the context of SYSTEM on a PaperCut Application Server.
Zero Day Initiative responsibly disclosed the vulnerability to PaperCut on January 10, 2023; PaperCut released a patch on March 8, 2023. Additional details surrounding this vulnerability will be released by Trend Micro on May 10, 2023.
Over the past week, Arctic Wolf has observed intrusion activity associated with a vulnerable PaperCut Server where the RMM tool Synchro MSP was loaded onto a victim system. We assess with moderate confidence that this intrusion activity is related to the exploitation of CVE-2023-27350.
Arctic Wolf has deployed monitoring around indicators of compromise associated with this PaperCut intrusion activity. We strongly recommend that organizations running the affected products upgrade as soon as possible.
Recommendations For CVE-2023-27350
Recommendation #1: Upgrade PaperCut Application Servers to a Fixed Version
We strongly recommend upgrading PaperCut MF and PaperCut NG to 20.1.7, 21.2.11, 22.0.9 or later to prevent potential exploitation. According to PaperCut, there is no practical workaround to address this vulnerability.
Product | Impacted Version | Patched Version |
---|---|---|
PaperCut MF | Version 8.0 or later, on all OS platforms | Versions 20.1.7, 21.2.11 and 22.0.9 and later. |
PaperCut NG | Version 8.0 or later, on all OS platforms | Versions 20.1.7, 21.2.11 and 22.0.9 and later. |
Application and Site servers are impacted; secondary servers (Print Providers) and Direct Print Monitors are not impacted. No workaround is available for this vulnerability. |
Note: Arctic Wolf recommends the following change management best practices for applying upgrades, including testing changes in a testing environment before deploying to production to avoid any operational impact.
Indicators of Compromise (IOCs)
Indicator | Type | Context |
---|---|---|
hxxp://upd488.windowservicecemter[.]com/download/AppPrint.msi | URL | URL delivering MSI file that installs Syncro MSP RMM tool |
00ec44df6487faf9949cebee179bafe8377ca4417736766932508f94da0f35fe | SHA256 Hash | AppPrint.msi file that installs Syncro MSP RMM tool |
upd488.windowservicecemter[.]com | Domain | Domain delivering MSI file that loads RMM tool. |
hxxp://upd488.windowservicecemter[.]com/download/setup.msi
|
Domain | URL delivering MSI file that installs AteraAgent
Note: We have not observed this in our specific intrusion. |
hxxp://upd488.windowservicecemter[.]com/download/a3.msi | Domain | Download URL linked to malicious domain observed in our intrusion. |
upd343.winserverupdates[.]com | Domain | Cobaltstrike C2, that has a similar domain naming convention and registration pattern to the Domain used to host AppPrint.msi.
Note: We have not observed this in our specific intrusion. |
172.67.156[.]5 | IP Address | A record for windowservicecemter[.]com |
104.21.73[.]3 | IP Address | A record for windowservicecemter[.]com |