More information has been revealed about how criminals are using the recently-discovered PaperCut security flaws, which looked to use humble office printers to gain entrance to corporate networks.
According to a new report on BleepingComputer, cybercriminals are using two flaws in the popular print (opens in new tab) management software to deliver the Atera remote management software to vulnerable endpoints. Such software allows the attackers to take full control of the target devices.
We have also gotten two proofs-of-concept (PoC) showcasing exactly how the vulnerabilities could be exploited, exponentially increasing their destructive potential. The first PoC was released by attack surface assessment firm Horizon3, which explained that the exploit allows for “remote code execution by abusing the built-in ‘Scripting' functionality for printers.”
Few targets
The managed cybersecurity platform providers Huntress also showcased their PoC, but only in the form of a video demo. The actual PoC is yete to be released.
The silver lining is that there are only around 1,700 internet-exposed PaperCut servers that the attackers could target, BleepingComputer says, citing data from a Shodan search. Still, even one successful attack is one too many.
There are patches and workarounds for the flaws, though, so users are advised to address the problem immediately and minimize any potential risk. System admins should make sure their software is patched to versions 20.1.7, 21.2.11 (MF), and 22.0.9 (NG).
The second flaw can also be mitigated by applying “Allow list” restrictions found in Options > Advanced > Security > Allowed site server IP addresses, and only allowing verified Site Server IP addresses to access the network.
Those interested in double-checking whether or not your systems were compromised are out of luck, as PaperCut says it’s impossible to determine, with absolute certainty, if a threat actor breached the network.
The devs suggested IT teams look for suspicious activity in the PaperCut admin interface under Logs > Application Log, including updates from a user called [setup wizard]. They can also look for new users being created, or configuration keys changed.
Via: BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba