SOCRadar® Cyber Intelligence Inc. | Active Exploitation of Serious Vulnerabilities in PaperCut, Veeam, and TP-Link

Resources

Apr 28, 2023

10 Mins Read

Active Exploitation of Serious Vulnerabilities in PaperCut, Veeam, and TP-Link

[Update] April 18, 2024: “Indicators of Compromise Related to the Exploitation of CVE-2023-1389”

[Update] April 18, 2024: “Multiple Botnet Operations Exploit CVE-2023-1389: Urgent Update Advised for TP-Link Archer AX21 Routers”

[Update] May 15, 2023: The Bl00dy Ransomware gang has started exploiting the CVE-2023-27350 vulnerability. Added the subheading: “Bl00dy Ransomware Exploits PaperCut RCE in Education Industry.”

[Update] May 9, 2023: State-sponsored threat actors named Mint Sandstorm and Mango Sandstorm, both based in Iran, are taking advantage of unpatched PaperCut instances. Microsoft reports that Mango Sandstorm exploitation activity is still minimal, with operators connecting to organizations’ C2 infrastructure using tools from prior intrusions; in contrast, Mint Sandstorm exploitation activity appears opportunistic, affecting businesses across industries and regions.

[Update] May 5, 2023: Added the subheading: “Proof-of-Concept Exploit Available for PaperCut Vulnerability CVE-2023-27350.”

Recent incidents that marked the cybersecurity landscape and brought attention involve the active exploitation of several vulnerabilities affecting PaperCut, Veeam, and TP-Link.

Microsoft has just confirmed that PaperCut servers have been targeted with ransomware. The threat actor FIN7 has been linked to attacks exploiting a vulnerability in Veeam Backup & Replication software. In addition, the Mirai botnet has been updated to exploit a serious vulnerability in TP-Link routers.

In this blog post, you can further explore these three incidents and their implications for cybersecurity.

PaperCut Server Vulnerabilities Exploited to Deliver Cl0p and LockBit Ransomware

Microsoft has confirmed that the active exploitation of PaperCut servers involves the distribution of Cl0p and LockBit ransomware.

The Microsoft threat intelligence team has reported that the intrusions are linked to a threat actor named Lace Tempest (previously known as DEV-0950). In the attacks, the threat actor used multiple PowerShell commands to deliver a TrueBot DLL.

Lace Tempest is a known affiliate of Cl0p ransomware and has previously utilized Fortra GoAnywhere MFT and Raspberry Robin infections in its attacks.

Active Exploitation of PaperCut Servers via CVE-2023-27350 and CVE-2023-27351

PaperCut detected suspicious activity on a customer server in mid-April, indicating that unpatched servers are being exploited in the wild. The initial investigation also pointed to the TrueBot malware, which is attributed to Russian hacker(s) named “Silence.”

The attacks were possible due to two vulnerabilities residing in PaperCut Application Server and MF/NG, identified as CVE-2023-27350 (CVSS score: 9.8, Critical) and CVE-2023-27351 (CVSS score: 8.2, High).

CVE-2023-27350 could allow a remote, unauthenticated attacker to achieve remote code execution on a vulnerable PaperCut Application Server, while CVE-2023-27351 could allow an unauthenticated attacker to obtain sensitive information from vulnerable PaperCut NG or MF instances, such as usernames, names, and email addresses.

Lace Tempest Exploits PaperCut Vulnerabilities to Deploy Cl0p Ransomware

Microsoft has reported that the threat actor has added the CVE-2023-27350 and CVE-2023-27351 vulnerabilities of PaperCut to its attack toolkit as early as April 13.

In the attack that resulted in the deployment of Cl0p ransomware, Lace Tempest used TrueBot DLL to connect to a C2 server. They then attempted to steal LSASS credentials and injected the TrueBot payload into the conhost[.]exe service, as explained by Microsoft on Twitter.

After that, the attacker installed a Cobalt Strike Beacon implant, which helped them to move laterally across the network, conduct reconnaissance, and exfiltrate files via the file-sharing service named MegaSync.

Security firms Redmond and Huntress have also shared details, and they reported that a different threat activity uses PaperCut vulnerabilities to distribute LockBit ransomware. Some threat actors are also exploiting them to deploy Monero cryptocurrency miners on infected systems.

PaperCut released patches to fix CVE-2023-27350 and CVE-2023-27351 vulnerabilities at the end of March. However, on April 19, the company warned in an advisory that the vulnerabilities were being widely exploited in the wild. Refer to the mentioned PaperCut advisory for details and the upgrade documentation for available updates.

Proof-of-Concept Exploit Available for PaperCut Vulnerability CVE-2023-27350

Huntress researchers found a way to get past authentication by going to the SetupCompleted page on the server and then clicking Login. This allowed them to login as if they were an administrator user without needing any credentials.

Additionally, they uncovered that disabling print-and-device.script.enabled and print.script.sandboxed would allow Java code to run on the server. By removing the sandboxing, the printer scripts would have direct access to the Java runtime, allowing for trivial code execution. As a result, an attacker could add malicious code to the default JavaScript template printer script, indicating they could simply edit a printer script to gain remote code execution. You can find video demonstration of the exploit on YouTube.

Horizon3 has briefly examined Huntress’ proof-of-concept (PoC) exploit on their blog and also published their own PoC on GitHub, which you can find here.

VulnCheck has provided another PoC exploit. The PaperCut NG interface allows an administrative user to specify a “Custom Program” to source and authenticate users, and this feature can be abused by attackers to execute arbitrary code by providing a malicious username and password.

Proof-of-concept exploits have been developed for both Linux and Windows. The auth program has to be interactive, but any program on disk can be used.

On the Linux side, the auth program is set to /usr/sbin/python3, while on the Windows side, ftp[.]exe is used.

By providing a malicious username and password during a login attempt, an attacker can execute arbitrary code. The attack is carried out by downloading a binary to C:ProgramData and executing it, resulting in a process tree of pc-app.exe -> ftp.exe -> cmd.exe -> AXtJxdUwlfJI.exe. This approach doesn’t generate expected log entries and bypasses process-creation-based detections. A YouTube video demonstrating the exploit can be found here.

Bl00dy Ransomware Exploits PaperCut RCE in Education Industry

The Bl00dy Ransomware gang is also exploiting the PaperCut remote code execution vulnerability, CVE-2023-27350. The gang has been active since May 2022 and employs an encryptor based on leaked LockBit, Babuk, and Conti source codes.

According to a joint advisory by the FBI and CISA, Bl00dy Ransomware exploited the vulnerability in early May 2023 to gain initial access to networks in the Education Facilities Subsector. Some of these operations resulted in data exfiltration and the encryption of target systems.

CISA has stated that the threat actor focuses on the education industry, which accounts for approximately 68% of the PaperCut servers exposed to the internet.

Visit the official CISA advisory for more information, including indicators of compromise (IoC), signs of exploitation, network traffic signatures, and child processes to monitor. It is advised to apply the latest security updates on PaperCut MF and NG servers for an ultimate fix.

FIN7 Exploits Veeam Vulnerability CVE-2023-27532 with POWERTRASH Dropper

A Russian cybercrime group called FIN7 has been linked to attacks that exploit a vulnerability in Veeam Backup & Replication software, which allows the group to distribute a PowerShell-based dropper called POWERTRASH, which can execute a hidden payload.

WithSecure detected this activity on March 28, 2023, and suspects that the group took advantage of CVE-2023-27532, a high-severity flaw in Veeam Backup & Replication, which allowed attackers to gain access to infrastructure hosts and steal encrypted credentials stored in the configuration database.

Custom PowerShell scripts were used in the attacks to steal system information, establish an active foothold in the compromised host, and retrieve stored credentials from backup servers. This was done by running DICELOADER, also known as Lizar or Tirion, each time the compromised host booted up.

Additionally, the attackers used a previously unknown persistence script called POWERHOLD.

The DICELOADER malware was decoded and executed using another unique loader called DUBLOADER. The group also ran SQL commands to steal information from the Veeam backup database.

According to security researchers Neeraj Singh and Mohammad Kazem Hassan Nejad, these attacks’ objectives were unclear because they were stopped before they could be fully carried out.

However, they noted that these findings suggest that the FIN7 group is constantly evolving and refining its tactics. Additionally, FIN7 has incorporated new malware tools into their arsenal, including a loader and backdoor called Domino, which has been identified by IBM Security X-Force and is intended to facilitate further exploitation after an initial attack.

Mirai Botnet Exploits Flaw in TP-Link Archer AX21 Routers, Causing DDoS Attacks

Recently, the Mirai botnet has been updated to exploit a serious vulnerability in TP-Link Archer AX21 routers. This flaw, CVE-2023-1389 (CVSS score: 8.8), allows hackers to execute code on the router without authentication.

Researchers from Team Viettel and Qrious Security first discovered the vulnerability, and TP-Link released a fix in March 2023.

However, the Zero Day Initiative observed in-the-wild exploitation on April 11, 2023. The attackers took advantage of the flaw by using an HTTP request to connect to the Mirai command-and-control (C2) servers.

The payload downloaded from the C2 servers then turned the device into a botnet that launched distributed denial-of-service (DDoS) attacks against game servers.

The ZDI researcher, Peter Girnus, recommended applying the patch to address this vulnerability as it is the only effective solution.

Multiple Botnet Operations Exploit CVE-2023-1389: Urgent Update Advised for TP-Link Archer AX21 Routers

According to recent reports, multiple botnet operations are exploiting the CVE-2023-1389 vulnerability, infecting TP-Link Archer AX21 (AX1800) routers for further malicious activity.

In our previous report, we highlighted the Mirai botnet’s exploitation of the vulnerability; in a new alert, Fortinet noted a significant increase in exploitation attempts, originating from six botnet operations: AGoent, Gafgyt Variant, Moobot, Mirai Variant, Miori, and Condi.

Fortinet’s telemetry data reveals that since March 2024, infection attempts leveraging CVE-2023-1389 have frequently surpassed 40,000 and peaked at 50,000.

Telemetry of attempted intrusions (Fortinet)

The varying tactics and scripts utilized by these botnets to exploit CVE-2023-1389 often result in Distributed Denial-of-Service (DDoS) and brute force attacks on victim devices.

This surge in malicious activity underscores the prevalence of unpatched instances, thereby, urgent action is required: users of TP-Link Archer AX21 routers should promptly update their firmware.

As a precaution against such threats, disabling web access to the admin panel and using strong passwords are recommended. For further details, refer to Fortinet’s article and review the indicators of compromise provided at the end of this blog post.

Proactive Vulnerability Prioritization with SOCRadar

SOCRadar’s Attack Surface Management feature enables real-time tracking of product vulnerabilities that are automatically detected in an organization’s digital footprint. This allows security teams to proactively prioritize vulnerabilities by accessing contextual intelligence.

Additionally, the Vulnerability Intelligence in the Cyber Threat Intelligence tab provides visibility on vulnerability trends that threat actors actively exploit.