How the New PaperCut Flaw PoC Allows Attackers to Weaponize Ransomware Without Triggering Alarms

A new papercut flaw PoC (Proof of Concept) has been published that could empower attackers to weaponize ransomware on your organization's systems without being detected by most known safety measures. This exploit leverages PaperCut's "User/Group Sync" feature, enabling attackers to launch arbitrary code execution on your system with ease.

This is a serious issue and one that must be addressed immediately. Therefore, it is important for organizations to understand the implications of the new PaperCut flaw PoC and how it can be used against their system security. In this article, we will discuss the PoC exploit, how it works and what measures you can take to protect yourself from such an attack.

The Vulnerability in PaperCut's "User/Group Sync" Feature

PaperCut is a widely used print management software solution, and its "User/Group Sync" feature allows the application to synchronize user and group information from sources such as Windows Active Directory and Google Cloud Directory. However, the feature has been revealed to contain a security vulnerability which, if exploited, could allow attackers to bypass authentication and launch arbitrary code execution without giving off any alarms.

VulnCheck recently published a proof-of-concept (POC) exploit that leverages this vulnerability. The POC successfully bypasses all known detections for the exploit, making it an even more dangerous threat. It's worth noting that this vulnerability only affects users of PaperCut NG/MF versions 19.3.3 or below; users of version 19.3.4 are safe from these threats for now.

How the PoC Exploit Works to Bypass Detections

VulnCheck's PoC exploit leverages a previously disclosed PaperCut vulnerability to control multiple VMware products without authentication. The exploit beats all current detections, from Sysmon to log files —and even network signature detection rules— without triggering any alarms.

This is achieved by using the User/Group Sync feature, which allows an attacker to send malicious code through the Windows domain controller using a zero-day vector. The code is then executed remotely by a domain controller, allowing the attacker to gain access and control of the target.

Once malware has been launched in this manner, it can't be detected by currently available security methods like antivirus software or intrusion detection systems— making it possible for threat actors to launch ransomware attacks without being detected. This could lead to unprecedented levels of damage and destruction if action isn't taken soon to address the exploit.

Why This Flaw Is Dangerous: Enabling Stealthy Ransomware Deployments

This PaperCut flaw is particularly dangerous because it gives attackers the ability to weaponize ransomware without triggering alarms. Atera remote, a malware strain recently discovered by security researchers, was designed to specifically exploit this unpatched vulnerability.

Why ransomware?

Ransomware is a type of malicious software that encrypts files on infected computers and can only be decrypted by paying a hefty fee. And the bad news is, the longer hackers are able to remain undetected on a network, the more they can infect and the better their chances of getting away with a ransom payment. They have time to understand the system and identify the valuable data on the system such as financial data, knowing where the money is can be valuable for when putting a price and negotiating the ransom.

How this PoC works

The newly-published PoC exploit uses PaperCut's “User/Group Sync” feature to execute code in an environment that does not trigger any known detection mechanisms. This means that organizations cannot rely on standard configuration checks or alerts for malicious activity on their internal networks when it comes to the vulnerability in PaperCut.

So, if your organization hasn't patched yet, there's no time to lose. It's important to take preventive measures against this security flaw before an attack hits—otherwise you may end up paying more than just an expensive price tag for lost data or damaged systems.

The Risk of This Vulnerability Being Weaponized at Scale

The weaponization of any vulnerability poses serious risks, but particularly if it’s a vulnerability as damaging as the PaperCut “User/Group Sync” vulnerability. If exploited, an attacker can launch arbitrary code execution and bypass all current detections—and in the wrong hands, this exploit could be used to launch mass-scale ransomware attacks.

To guard against this risk, organizations should have risk-based vulnerability management strategies in place to prioritize remediation and patching of vulnerable applications. This can help them identify their most critical systems that need protection and any vulnerabilities that could be weaponized as soon as possible.

Being paranoic and using redundant systems is also a way to go, of course on a different location separated from the main system.

The severity of a vulnerability can be measured by the Common Vulnerability Scoring System (CVSS), it is a widely used framework for assessing and rating the severity of vulnerabilities in software systems. It helps with prioritization but will not however provide a full picture, first because every system is unique and other factors need to be taken into account

The system relies on a number of subjective factors, such as the likelihood of an attack and the potential impact of an exploit, that can be difficult to quantify.

For example, the system may not consider the potential impact of a vulnerability on a specific industry or sector, or the fact that some vulnerabilities may be more difficult or costly to patch than others. The nature of operations as well and its maturity is also to be taken into account.

CVSS scores can be influenced by the availability of exploits or patches, which can lead to false sense of security when a vulnerability is assigned a low score due to lack of public exploits, even though attackers may have their own, private exploits, and we have seen this over time happening more then it should.

It is not a perfect system and its limitations should be considered. Security professionals should use CVSS scores in conjunction with other risk assessment tools and their own expertise to make informed decisions about how to prioritize and address vulnerabilities.

How to Mitigate Risks Until a Patch Is Released

So, how can you protect your organization from the new PaperCut's "User/Group Sync" exploit? This is especially important, as there are currently no patches or fixes available.

Vulnerability Scanning

The most important rule is to keep up to date on vulnerability scanning. Make sure you're always running the latest version of your software, and stay informed about security threats. This will help you make sure that your organization is not vulnerable to any known exploits.

Segmenting Networks

Another great way to protect against an attack is to segment your networks. This means that by using firewalls and virtual private networks (VPNs) you can separate critical data from less important information, reducing the risk of a successful attack on the whole system.

Restricting Access

Finally, restricting access is essential in preventing unauthorized users from gaining access to sensitive data. This means making sure that user accounts have limited privileges and are regularly monitored for any suspicious activity. Solutions like two-factor authentication can also add an extra layer of protection and ensure that only authorized individuals have access.

When Will We See a Fix for This Critical PaperCut Flaw?

The good news is that there's already a fix for this critical PaperCut flaw—PaperCut has confirmed that neither PaperCut NG nor PaperCut MF are affected by the vulnerability (CVE-2022-42889). And though the two security flaws (CVE-2023-27350 and CVE-2023-27351) are being exploited by attackers to bypass authentication and execute arbitrary code, rest assured that these flaws have already been addressed in their latest version.

Unfortunately, if you're running an older version of the software, you may have to wait until PaperCut releases an update that fixes these issues. Until then, install all security patches and make sure to update your software regularly. In the meantime, it's best to monitor your system closely for any suspicious activity and take any preventative measures necessary.

Despite the number of powerful detections deployed by modern security protocols and tools, the PoC exploit reveals that attackers can still find ways to remain undetected. Organizations who rely on security protocols and tools such as PaperCut should consider how this new PoC exploit fits into their existing defense-in-depth strategy.

For organizations already using PaperCut, remediation is recommended. In addition to patching the underlying vulnerability, it may also be necessary to completely disable the User/Group Sync feature to ensure attackers cannot leverage this avenue for attack in the future. That said, it's important for organizations to obtain guidance from their security team to ensure the security protocols and policies are properly maintained.