"Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability"

Microsoft recently warned that more threat actors have started targeting a recently patched vulnerability in PaperCut MF/NG print management solutions, including Iranian state-sponsored groups.  The critical flaw tracked as CVE-2023-27350 (CVSS score of 9.8) and patched in March 2023 could allow remote, unauthenticated attackers to bypass authentication and execute arbitrary code with the privileges of the System user.  In late April, PaperCut urged customers to update their installations as soon as possible.  A few days later, Microsoft reported that it had seen a Cl0p ransomware operator affiliated with the FIN11 and TA505 Russian groups exploiting the vulnerability for weeks.  Now, Microsoft warns that Iranian state-sponsored threat actors Mint Sandstorm and Mango Sandstorm have adopted publicly available proof-of-concept (PoC) code exploiting the bug and are targeting unpatched PaperCut installations in attacks.  For now, Microsoft stated that Mint Sandstorm activity targeting CVE-2023-27350 appears opportunistic, while Mango Sandstorm’s exploitation of the flaw remains low.  Microsoft noted that as more threat actors begin to use this vulnerability in their attacks, organizations are strongly urged to prioritize applying the updates provided by PaperCut to reduce their attack surface.  Also tracked as Ajax Security Team, Charming Kitten, APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453, Mint Sandstorm has been active since at least 2011, targeting governments, critical infrastructure, activists, journalists, and other entities.

SecurityWeek reports: "Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability"