Agencies Warn Against Vulnerabilities in Unpatched PaperCut Servers

The FBI and the Cybersecurity and Infrastructure Security Agency warned organizations about a critical vulnerability that allows unauthorized access to select versions of PaperCut NG and PaperCut MF printer software applications.

According to a joint advisory warning, the PaperCut vulnerability allows ransomware actors to remotely execute codes against education facilities. The FBI also noted that the Bl00dy Ransomware Gang has been using the vulnerability since mid-April.

The agencies said PaperCut released a patch in March. Organizations using unpatched PaperCut systems are warned to assume that they have been compromised and look for malicious activity through detection signatures, SC Media reported.

According to the advisory, remote code execution has been successfully implemented to execute shell commands and execute a living-off-the-land-style attack. The agencies warn that threat actors may develop other RCE methods.

To detect potential compromises, users are asked to look for network traffic signatures on servers, monitor systems for child processes and check server settings and log files for suspicious changes. Shawn Surber, senior director and technical account management at the software company Tanium, said in addition to looking for indicators of compromise, organizations must also learn more about the ransomware group.

An earlier report revealed that hackers used the PaperCut vulnerability to install Atera and Syncro remote management and maintenance software hosted in a domain previously housing a piece of Russian malware.