TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Critical Vulnerabilities in PaperCut Print Management Software | Huntress

2023-04-21 · Read original ↗

ATT&CK techniques detected

9 predictions
T1204.002Malicious File
88%
"and take appropriate action. 4 / 22 / 23 exploitation seen on 4 / 22 / 23 new exploitation was seen where the first stage pulled down a. bat file ( http : / / 50. 19. 48 [. ] 59 : 82 / me1. bat ) : cmd. exe / c powershell - enc = = when run, the script attempts to disable windows…"
T1219Remote Access Tools
82%
"##6 hash : f9947c5763542b3119788923977153ff8ca807a2e535e6ab28fc42641983aabb ), is an installation package for the legitimate atera remote management and maintenance ( rmm ) software. the package is installed in a subsequent command again spawned from the exploited papercut instan…"
T1204.002Malicious File
74%
"embedded rhino javascript engine. by disabling sandboxing, the printer scripts now have direct access to the java runtime which enables trivial code execution. as intended, the scripts contain only functions which serve as hooks for future execution, however the global scope is e…"
T1204.002Malicious File
71%
"a cvss severity score of 8. 2 and 9. 8. shodan reports about ~ 1, 800 publicly exposed papercut servers ( at least, with the search query of finding papercut in the html, as the listening port is 9191 by default but can be customized ). note that there is no clear reason why this…"
T1204.002Malicious File
71%
"##7c40ee609aceb1c1036706a5af0d3d78738b6cc4125 ) file is more interesting, as recovery and analysis shows this is actually a windows dll, specifically a truebot malware variant. huntress has previously encountered truebot installations as post - exploit payloads. while huntress di…"
T1486Data Encrypted for Impact
40%
"##7c40ee609aceb1c1036706a5af0d3d78738b6cc4125 ) file is more interesting, as recovery and analysis shows this is actually a windows dll, specifically a truebot malware variant. huntress has previously encountered truebot installations as post - exploit payloads. while huntress di…"
T1204.002Malicious File
38%
"papercut exploitation could be used as a foothold leading to follow - on movement within the victim network, and ultimately ransomware deployment. given the potential for disruptive operations linked to the above, huntress performed further research yielding additional, potential…"
T1055.001Dynamic-link Library Injection
37%
"embedded rhino javascript engine. by disabling sandboxing, the printer scripts now have direct access to the java runtime which enables trivial code execution. as intended, the scripts contain only functions which serve as hooks for future execution, however the global scope is e…"
T1068Exploitation for Privilege Escalation
30%
"windows hosts with papercut installed - 908 total windows hosts with vulnerable versions of papercut installed. ( ~ 90 % ) - spread across 710 distinct organizations - 3 total macos hosts with papercut server installed - 2 total macos hosts with vulnerable versions of papercut in…"

Summary

Our team is tracking in-the-wild exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.