Unpatched PaperCut servers are being exploited in the wild, and experts are warning of a possible ransomware attack

It has been revealed that unpatched servers running PaperCut are being exploited in the wild, sparking concerns of a potential ransomware attack. PaperCut is a print management software provider, and the company has recently issued a warning stating that it has “evidence to suggest that unpatched servers are being exploited in the wild.” Cybersecurity provider Trend Micro has also issued reports on two vulnerabilities within PaperCut that are actively being exploited. Experts are urging all users of PaperCut to upgrade to the latest versions of its software to ensure their systems are secure.

PowerShell commands spawned from PaperCut software to install RMM software

The risk is reportedly serious, with emerging reports indicating that PowerShell commands are being spawned from PaperCut software to install remote management and maintenance (RMM) software such as Atera and Syncro. This is allowing attackers to gain persistent access and execute code on infected hosts, which can potentially lead to devastating consequences. Cybersecurity provider Huntress has found almost 1,800 publicly exposed PaperCut servers, all of which could be at risk of attack.

TrueBot attributed to Russian criminal entity ‘Silence’

The issue further underscores the need for organizations to maintain their security posture, as criminal organizations with technical expertise to carry out such attacks are actively seeking vulnerable targets. One such group is Silence, a Russian criminal entity attributed to TrueBot malware. Silence has links to another Russian criminal entity known as Evil Corp, and its overlapping cluster TA505 has been previously linked to the Cl0p ransomware.

Upgrading to the fixed versions of PaperCut is recommended to mitigate risks

Experts are recommending that all users of PaperCut upgrade to the latest versions of its software as soon as possible. PaperCut has issued patches to address the vulnerabilities, with fixed versions being released as PaperCut MF and NG (20.1.7, 21.2.11, and 22.0.9). This will help mitigate the risks of a possible ransomware attack and ensure that systems are secure.

Lock down network access to servers for those unable to upgrade

However, some users may not be able to upgrade to the latest version of PaperCut software, leaving them vulnerable to attack. For those unable to upgrade, experts recommend locking down network access to the servers by blocking all inbound traffic from external IPs and limiting IP addresses to only those belonging to verified site servers. This will help reduce the risk of a successful attack, even in the absence of updates.

Regarding links to a ransomware entity

The links between PaperCut’s software and Silence, which is a known ransomware entity, are concerning. While the ultimate goal of the current activity leveraging PaperCut’s software is unknown, the links to a known ransomware entity raise red flags for cybersecurity experts.

Access gained through PaperCut exploitation could lead to follow-on movement and ransomware deployment

The risk of ransomware being deployed cannot be overstated. The access gained through PaperCut’s exploitation could be used as a foothold leading to follow-on movement within victims’ networks, and ultimately a ransomware deployment. The risks of such an attack would be significant, potentially causing extensive data breaches and financial loss to organizations worldwide.

Domain hosting tools also host malware like TrueBot

Further analysis has revealed that the domain hosting the tools for the attack is windowservicecemter.com, which was registered on April 12, 2023. This domain has also been linked to other malware like TrueBot, emphasizing the importance of maintaining security and vigilance across all aspects of cybersecurity.

An analysis conducted by PaperCut suggests that the earliest evidence of activity linked to the vulnerability was on April 14

PaperCut has conducted its analysis on all customer reports of a possible attack, with the earliest signature of suspicious activity on a customer server, potentially linked to this vulnerability, being noted on April 14. This highlights the importance of organizations remaining vigilant and securing against possible attacks, and the need for timely upgrades and patches for all systems and software.

The threat posed to organizations by unpatched servers running PaperCut has been mounting over the last few weeks. Experts are urging all users to take steps to secure their systems, including upgrading to the latest version of the software, which has been patched to address the vulnerabilities. Those who cannot upgrade are urged to take steps to lock down network access to their servers. With the risks of a potential ransomware attack looming, security experts warn that organizations must remain alert, vigilant, and secure against cybercriminals seeking to exploit vulnerabilities in their systems.

Explore more