Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability-Information Security Announcement-Tainan Branch, Administrative Enforcement Agency, Ministry of Justice

:::

Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability

Publication Date ： 2023-05-11
Last updated：2023-06-19
View count：82

Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft disclosed over the weekend.

The tech giant's threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access.

"This activity shows Mint Sandstorm's continued ability to rapidly incorporate [proof-of-concept] exploits into their operations," Microsoft said in a series of tweets.

On the other hand, CVE-2023-27350 exploitation activity associated with Mango Sandstorm is said to be on the lower end of the spectrum, with the state-sponsored group "using tools from prior intrusions to connect to their C2 infrastructure."

It's worth noting that Mango Sandstorm is linked to Iran's Ministry of Intelligence and Security (MOIS) and Mint Sandstorm is associated with the Islamic Revolutionary Guard Corps (IRGC).

The ongoing assault comes weeks after Microsoft confirmed the involvement of Lace Tempest, a cybercrime gang that overlaps with other hacking groups like FIN11, TA505, and Evil Corp, in abusing the flaw to deliver Cl0p and LockBit ransomware.

CVE-2023-27350 (CVSS score: 9.8) relates to a critical flaw in PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.