According to Microsoft, an Iranian nation-state group has joined the financially motivated attackers by actively exploiting critical flaws in its PaperCut print management software.
The tech giant’s threat intelligence team said it confirmed that both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) achieved initial access armed with CVE-2023-27350.
“This activity demonstrates Mint Sandstorm’s continued ability to integrate quickly. [proof-of-concept] Using exploits in their operations,” Microsoft Said in a series of tweets
On the other hand, the CVE-2023-27350 exploit activity associated with Mango Sandstorm is said to be on the lower end of the spectrum. The state-sponsored group “uses tools from previous intrusions to connect to C2 infrastructure.”
Mango Sandstorm is said to be linked to Iran’s Ministry of Information and Security (MOIS), while Mint Sandstorm is linked to the Islamic Revolutionary Guard Corps (IRGC).
The ongoing attacks are based on the fact that Race Tempest, a cybercriminal group that overlaps Microsoft with other hacking groups such as FIN11, TA505 and Evil Corp, exploited this flaw to deliver Cl0p and LockBit ransomware. It’s been weeks since we confirmed we were involved.
CVE-2023-27350 (CVSS score: 9.8) relates to a critical flaw in PaperCut MF and NG installations that can be exploited by unauthenticated attackers to execute arbitrary code with SYSTEM privileges.
A patch was provided by PaperCut on March 8, 2023. Trend Micro’s Zero Day Initiative (ZDI), which discovered and reported this issue, plans to release more technical information about this issue on May 10, 2023.
Last week, cybersecurity firm VulnCheck released details of a new attack line that could evade existing detections, allowing adversaries to exploit the flaws unhindered.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
As more attackers jump onto the PaperCut exploit bandwagon to compromise vulnerable servers, organizations are rushing to apply the necessary updates (versions 20.1.7, 21.2.11, and 22.0.9 and above). Action is essential.
This development increasingly turns Iranian threat actors into new tactics that combine offensive cyber operations with multi-pronged influence operations to “facilitate geopolitical change in line with regime objectives.” It also follows Microsoft’s report revealing that it is dependent.
This shift includes the adoption of newly reported vulnerabilities, the use of compromised websites for command and control to better conceal the source of attacks, and custom tools and trade crafts for maximum impact. is consistent with the increasing tempo of conjugation.
