• Thu. Oct 12th, 2023

Iranian Cyber Criminals Start Attacks on Exposed Papercut Servers

Avatar photo

ByEsme Greene

Jul 5, 2023
Iranian Hackers Target Exposed Papercut Servers
Esme Greene
Latest posts by Esme Greene (see all)

Mango Sandstorm, also known as Mercury or Muddywater, is linked to Iran’s Ministry of Intelligence and Security, while Mint Sandstorm, also referred as Phosphorus or APT35, is linked to Iran’s Islamic Revolutionary Guard Corps. The firm is tracking both of these organizations.

The Research

“Mint Sandstorm’s PaperCut activities don’t appear to be a target. Companies in all industries and regions are affected, according to the group. Threat Intelligence from Microsoft.

The experts said, “Observed Operational Activity CVE-2023-27350 from Mango Sandstorm remains low, with operators connecting to their C2-infrastructure using tools from previous intrusions.”

Microsoft claims that the Lace Tempest criminal organization, whose nefarious activities closely overlap with those of the cybercriminal gangs FIN11 and TA505 connected to the Clop ransomware campaign, previously actively exploited PaperCut vulnerabilities.

Microsoft discovered as well that certain attempts resulted in the distribution of malware. LockBit but were unable to offer any other details on this.

Security Measures

On April 21 of this year, CISA added the PaperCut vulnerability to its list of regularly exploited flaws and instructed federal entities to protect their PaperCut servers for three weeks, or until May 12.

These attacks took advantage of a serious unauthenticated remote code execution vulnerability in PaperCut MF or NG 8.0 or later, identified as CVE-2023-27350.

Internationally, major corporations, governmental agencies, and educational institutions all utilize this enterprise print management software. The creator of PaperCut asserts that there are more than 100 million users from more than 70,000 businesses.

Despite the fact that a number of cybersecurity firms have published indications of compromise and detection guidelines for PaperCut vulnerabilities, VinCheck disclosed information about a brand-new attack vector last week. It has the ability to go beyond current detections, letting attackers keep using CVE-2023-27350 without being stopped.

Customers and internal security specialists at PaperCut-using businesses are urged to upgrade their PaperCut MF and PaperCut NG software as soon as possible to versions 20.1.7, 21.2.11, and 22.0.9 and later. They have already patched the remote code execution vulnerability, making it impossible to launch attacks using this technique.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.