Attackers are exploiting extreme vulnerabilities within the widely-used PaperCut MF/NG print administration software program to put in Atera distant administration software program to take over servers.

The software program’s developer claims it is utilized by greater than 100 million customers from over 70,000 firms worldwide.

The 2 safety flaws (tracked as CVE-2023-27350 and CVE-2023-27351) enable distant attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges in low-complexity assaults that do not require person interplay.

“Each of those vulnerabilities have been fastened in PaperCut MF and PaperCut NG variations 20.1.7, 21.2.11 and 22.0.9 and later. We extremely suggest upgrading to one in all these variations containing the repair,” the corporate warned.

Proof-of-concept exploit obtainable

​Earlier as we speak, assault floor evaluation agency Horizon3 published a blog post containing detailed technical info and a CVE-2023-27350 proof-of-concept (PoC) exploit that attackers might use to bypass authentication and execute code on unpatched PaperCut servers.

Horizon3 says the RCE exploit helps achieve “distant code execution by abusing the built-in ‘Scripting’ performance for printers.”

Huntress additionally created a PoC exploit to showcase the menace posed by these ongoing assaults however is but to launch it on-line (a video demo is offered under).

Whereas unpatched PaperCut servers are already being focused within the wild, extra menace actors will even seemingly use Horizon3’s exploit code in additional assaults.

Luckily, a Shodan search exhibits that attackers might goal solely round 1,700 Web-exposed PaperCut servers.

CISA added the CVE-2023-27350 flaw to its checklist of actively exploited vulnerabilities on Friday, ordering federal companies to safe their programs towards ongoing exploitation inside three weeks by Could 12, 2023.

Huntress advises directors unable to promptly patch their PaperCut servers ought to take measures to stop distant exploitation.

This contains blocking all visitors to the net administration port (default port 9191) from exterior IP addresses on an edge system, in addition to blocking all visitors to the identical port on the server’s firewall to limit administration entry solely to the server and forestall potential community breaches.

Hyperlinks to Clop ransomware

In line with Huntress security researchers who’ve been analyzing post-exploitation exercise linked to those ongoing assaults since April 16, when the primary assaults have been noticed, menace actors have been utilizing the flaw to execute PowerShell instructions that set up Atera and Syncro distant administration software program.

These assaults have been preceded by the registration of the windowservicecenter.com area on April twelfth, which was additionally used to host and ship TrueBot downloader, a malware linked to the Silence cybercrime group and used to deploy Clop ransomware payloads since December 2022.

“Whereas the last word aim of the present exercise leveraging PaperCut’s software program is unknown, these hyperlinks (albeit considerably circumstantial) to a recognized ransomware entity are regarding,” Huntress Labs stated.

“Doubtlessly, the entry gained by means of PaperCut exploitation might be used as a foothold resulting in follow-on motion throughout the sufferer community, and finally ransomware deployment.”