Iranian state-sponsored hackers exploiting printer vulnerability

Hackers based in Iran are exploiting a recently-discovered vulnerability affecting a popular printing management software, according to new research.

On Friday, Microsoft said two nation-state actors they call Mint Sandstorm and Mango Sandstorm have been attacking companies running unpatched versions of PaperCut software, which is used widely by government agencies, universities, and large companies around the world.

The vulnerability – tracked as CVE-2023–27350 – was initially disclosed on March 8, and last month the company published an urgent update to an advisory recommending companies install a patch for the vulnerability. “We have evidence to suggest that unpatched servers are being exploited in the wild,” the company said.

Since that advisory, several ransomware groups, including Clop and LockBit, have been seen exploiting the bug, according to Microsoft.

Microsoft said once proof of concept (PoC) exploits were released publicly, the Iranian hacking groups added the bug to their arsenal of tools used to gain access to systems.

“The PaperCut exploitation activity by Mint Sandstorm appears opportunistic, affecting organizations across sectors and geographies,” Microsoft said.

More actors are exploiting unpatched CVE-2023-27350 in print management software Papercut since we last reported on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350.

— Microsoft Threat Intelligence (@MsftSecIntel) May 5, 2023

“Observed CVE-2023-27350 exploitation activity by Mango Sandstorm remains low, with operators using tools from prior intrusions to connect to their C2 infrastructure. As more threat actors begin to use this vulnerability in their attacks, organizations are strongly urged to prioritize applying the updates provided by PaperCut to reduce their attack surface.”

The bug allows hackers to remotely access victim systems, and extract information about users stored within a customer’s servers, including usernames, full names, email addresses, and payment card numbers associated with the accounts.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-27350 to its list of exploited vulnerabilities last month, giving federal civilian agencies until May 12 to install the patch.

Trend Micro, which initially discovered the vulnerability, said it plans to release more information about it on May 10, according to PaperCut.

Microsoft reported two weeks ago that Mint Sandstorm spent much of 2021 and 2022 directly targeting “US critical infrastructure including seaports, energy companies, transit systems, and a major US utility and gas entity.”

The tech giant said the “increased aggression of Iranian threat actors” was tied to other moves by the Iranian regime which is under a new national security apparatus, “suggesting such groups are less bounded in their operations.”

“Given the hardline consensus among policymakers in Tehran and sanctions previously levied on Iran’s security organizations, Mint Sandstorm subgroups may be less constrained in carrying out malicious cyber activity,” the company said in a blog.