The flaw, tracked as CVE-2023-27350 (CVSS score 9.8), which affects PaperCut MF or NG versions 8.0 or later, is a critical severity unauthenticated remote code execution bug that has been used in ransomware campaigns.
The flaw, discovered in March 2023 apparently enabled threat actors to execute code through PaperCut’s built-in scripting interface. While the flaw was later patched, an update on the advisory was released in April, warning it has been actively exploited in attacks.
Since then, a variety of threat actors, including ransomware operators, have exploited the vulnerability, and post-exploitation activities have resulted in the execution of PowerShell instructions used to deliver extra payloads.
Researchers soon released PoC exploits for the RCE flaw, and Microsoft later confirmed that the Clop and LockBit ransomware gangs had used it to gain initial access. In response, several security firms have provided detection guidelines for PaperCut attacks and indicators of compromise, including Sysmon, log files, and network signatures.
However, a new attack technique, identified by VulnCheck researchers, can bypass current detections, enabling attackers to exploit CVE-2023-27350 without hindrance. "This report shows that detections that focus on one code execution method, or that focus on a small subset of techniques used by one threat actor, are doomed to be useless in the next round of attacks," explains VulnCheck.
Bypassing Detection
According to VulnCheck, Sysmon-based detections that rely on process creation analysis have already been defeated by existing PoCs that employ different child process creation methods.
In regards to the log file detection, it notes that they cannot be trusted as an accurate indicator for vulnerability exploits, since they only flag normal admin user logging. Moreover, there is a way to exploit CVE-2023-27350 without leaving entries in the log files.
In place of a built-in scripting interface, the recently released PoC exploits the "User/Group Sync" feature in PaperCut NG, enabling an admin user to define a custom program for user authentication.
VulnCheck's PoC uses "/usr/sbin/python3" for Linux and "C:\Windows\System32\ftp.exe" for Windows and provides the malicious input that will perform code execution in the credentials during a login attempt.
Since this method does not create direct child processes or generate distinctive log entries, Sysmon and Log File detections are bypassed. In the case of network signature detection methods, they can be easily bypassed if the threat actor modifies the HTTP request by adding a slash or any random changes to it.
Although VulnCheck did not offer alternative detection techniques that are effective for all PoCs, they did issue a warning that hackers closely monitor detection techniques used by defenders and also modify their attacks to become undetected.
Thus, the best method to combat this attack is by applying the recommended security patches, which are for PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and later.