State-sponsored attacks are exploiting PaperCut vulnerabilities: Microsoft

Iranian state-sponsored hacking groups Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) are now weaponising CVE-2023-27350 in the Papercut print management software to gain initial access. Mango Sandstorm has been linked with Iran’s Ministry of Intelligence and Security (MOIS) while Mint Sandstorm is reportedly associated with the Islamic Revolutionary Guard Corps (IRGC).

In a series of tweets, Microsoft has revealed that the state-sponsored group Mango Sandstorm is exploiting the vulnerability and using tools from “prior intrusions to connect to their C2 infrastructure”.  The report comes just a few weeks after Microsoft reported that groups like Lace Tempest, which overlaps with other hacking groups including FIN11, TA505 and Evil Corp are abusing the vulnerability to deliver Clop and LockBit ransomware strains. 

More actors are exploiting unpatched CVE-2023-27350 in print management software Papercut since we last reported on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350.

— Microsoft Threat Intelligence (@MsftSecIntel) May 5, 2023

The vulnerabilities in question are as follows.

• CVE-2023–27350 (CVSS score 9.8): Remote code execution flaw affecting Papercut MF or NG versions 8.0 or later on all OS platforms including application and site servers. 
• CVE-2023–27351 (CVSS score 8.2): Unauthenticated information disclosure flaw affecting Papercut MF or NG versions 15.0 or later on all OS platforms including application and site servers. 

Papercut has already fixed the flaw in a patch released on March 8, 2023. At the moment, users of the affected program should update to versions 20.1.7, 21.2.11 and 22.0.9 or later. Additionally, Trend Micro’s Zero Day initiative, which discovered and reported the issue to Papercut in the first place is expected to release more information on the issue on May 10, 2023. 

Observed CVE-2023-27350 exploitation activity by Mango Sandstorm remains low, with operators using tools from prior intrusions to connect to their C2 infrastructure: https://t.co/4w9ZMzrDBV

— Microsoft Threat Intelligence (@MsftSecIntel) May 5, 2023

After the public POCs for the vulnerabilities were published, both groups quickly shifted tactics and adapted the exploit in their operations to gain initial access. Microsoft says that this exploitation activity by Mint Sandstorm appears ‘opportunistic’, affecting organisations across sectors and geographies. On the other hand, while exploitation activity by Mango Sandstorm remains low, they’re still using it to breach unsuspecting networks. 

In the News: DAZN and beIN back global task force to combat sports piracy