• Fri. May 24th, 2024

Russian Hackers are Accused of Regularly Exploiting Unprotected PaperCut Networks

Avatar photo

ByHarper Stewart

May 18, 2023
Russian Hackers are Accused of Regularly Exploiting Unprotected PaperCut Networks
Harper Stewart
Latest posts by Harper Stewart (see all)

A further flaw in a widely used program puts tens of thousands of companies in danger.

Using vulnerability reports from the firm Trend Micro, PaperCut, a vendor of copy management software, stated on April 19 that unsecured PaperCut MF/NG servers have been extensively utilized by hackers in the wild (ITW).

The Vulnerabilities Found

The first vulnerability, identified as ZDI-CAN-18987 / PO-1216, is a critical unauthenticated remote code execution bug. This flaw affects PaperCut MF or NG version 8.0 or earlier on all platforms, including application servers and websites. The flaw has a GradeCVSSv3.1 score of 9.8, indicating the severity of the issue.

The second vulnerability, identified as ZDI-CAN-19226 / PO-1219, is a high-risk bug that discloses information to an unauthorized attacker. This flaw affects PaperCut MF or NG version 15.0 or earlier on all platforms, but only for application servers. The vulnerability has a CVSS v3.1 score of 8.2, signifying its high level of severity.

The Huge Impact and Targeted Institutions

Software for managing printing tasks is created by PaperCut to work with all popular businesses. Large corporations, government agencies, colleges and universities all use the program, and according to the official PaperCut web page, the business handles hundreds of millions of consumers across more than 100 nations.

Huntress specialists, who previously discovered around 1800 publicly accessible PaperCut servers, have reported that they recently observed PowerShell commands being generated by the PaperCut installation software, which could lead to malicious code being continuously accessed and executed on compromised hosts. This issue is particularly concerning for RMM (Remote Monitoring and Management) software such as Atera and Syncro.

The TrueBot malware is generally associated with a cybercriminal group known as Silence, which is believed to have originated in Russia. This group has been linked to Evil Corp, a well-known entity that has been involved in the proliferation of ransomware.

Cyber Security Measures for PaperCut Users

It is highly recommended that all customers of PaperCut upgrade to the fixed versions of PaperCut MF and NG (20.1.7, 21.2.11, and 22.0.9) without delay, regardless of whether the server is externally or internally accessible. This is a crucial step in mitigating any possible risks associated with the vulnerabilities.

In situations where updating to the latest versions is not feasible, it is recommended to limit incoming network access to servers by creating a whitelist of IP addresses. This will help to minimize the risk of any potential security breaches.

Avatar photo

Harper Stewart

With a deep understanding of the complexities of the Dark Web, Harper curates informative and thought-provoking content for our readers. Her knowledge of the hidden corners of the internet and cybersecurity helps shed light on the often mysterious and illicit activities that take place in this realm.