Cyber Incident Victim: PaperCut
Date:
Mar 2023
Location:
United States of America
Summary
Multiple Iranian state-sponsored threat actors, including Mango Sandstorm and Mint Sandstorm linked to Iranian intelligence and military entities, exploited a critical pre-authentication remote code execution vulnerability (CVE-2023-27350) impacting unpatched print management servers. The opportunistic attacks targeted organizations globally across various sectors, facilitating initial network access that enabled follow-on activities such as ransomware deployment by groups like Lace Tempest (affiliated with Clop and FIN11) and LockBit operators. Security researchers observed evolving exploitation techniques bypassing existing detections, underscoring the persistent threat to vulnerable systems despite prior warnings. Large enterprises, government agencies, and educational institutions were among the affected entities, with exploitation activity continuing post-disclosure amid public release of proof-of-concept exploits and federal mandates to remediate.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The exploitation of critical vulnerability CVE-2023-27350 in PaperCut MF and NG print management servers escalated through March 2023 and evolved into a broader attack campaign involving multiple threat groups. This pre-authentication remote code execution flaw affected versions 8.0 and later of the software, which is utilized by large enterprises, government entities, and educational institutions globally, with the vendor reporting over 70,000 organizational customers. Security researchers published proof-of-concept exploits shortly after the vulnerability's initial disclosure, enabling attackers to gain initial access to corporate networks. Microsoft confirmed by late March that ransomware operations including Clop (linked to FIN11 and TA505 under Microsoft's Lace Tempest cluster) and LockBit were actively leveraging the flaw to breach targets. In April 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) formally added this vulnerability to its Known Exploited Vulnerabilities Catalog on April 21, mandating federal agencies to remediate affected PaperCut servers by May 12.
By May 2023, Microsoft observed Iranian state-sponsored threat groups expanding the attack landscape. Designated as Mint Sandstorm (Phosphorus/APT35, associated with Iran's Islamic Revolutionary Guard Corps) and Mango Sandstorm (Mercury/Muddywater, tied to Iran's Ministry of Intelligence and Security), these actors exploited CVE-2023-27350 through opportunistic attacks across diverse sectors and regions. While Mango Sandstorm exhibited lower exploitation volumes and reused established command-and-control infrastructure tools from prior operations, Mint Sandstorm conducted broader intrusions. Some compromises led to LockBit ransomware deployments, though specific incident details weren't disclosed by Microsoft. Security firm VulnCheck subsequently revealed a novel attack methodology that circumvented existing detection rules for the vulnerability, highlighting defensive gaps as attackers adapted to published countermeasures. PaperCut's developer addressed the vulnerability in versions 20.1.7, 21.2.11, and 22.0.9, urging immediate upgrades to eliminate the attack vector. The coordinated exploitation by both cybercriminal ransomware operators and Iranian state-aligned groups underscored the vulnerability's widespread impact across the global PaperCut user base.