Connect with us

Hi, what are you looking for?



Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability

Microsoft warns that two Iranian state-sponsored groups have adopted exploits targeting a recently patched PaperCut vulnerability.

Microsoft warned over the weekend that more threat actors have started targeting a recently patched vulnerability in PaperCut MF/NG print management solutions, including Iranian state-sponsored groups.

The critical flaw, tracked as CVE-2023-27350 (CVSS score of 9.8) and patched in March 2023, could allow remote, unauthenticated attackers to bypass authentication and execute arbitrary code with the privileges of the System user.

In late April, PaperCut urged customers to update their installations as soon as possible, raising the alarm on the first attacks targeting the vulnerability, while endpoint and response security firm Huntress warned that most PaperCut MF/NG deployments were unpatched.

A few days later, Microsoft reported that it had seen a Cl0p ransomware operator affiliated with the FIN11 and TA505 Russian groups exploiting the vulnerability for weeks.

Now, the tech giant warns that Iranian state-sponsored threat actors Mint Sandstorm and Mango Sandstorm have adopted publicly available proof-of-concept (PoC) code exploiting the bug and are targeting unpatched PaperCut installations in attacks.

“After public POCs were published for CVE-2023-27350, Mint Sandstorm & Mango Sandstorm quickly adapted the exploit in their operations to achieve initial access. This activity shows Mint Sandstorm’s continued ability to rapidly incorporate POC exploits into their operations,” Microsoft warned.

For the time being, the tech giant says, Mint Sandstorm activity targeting CVE-2023-27350 appears opportunistic, while Mango Sandstorm’s exploitation of the flaw remains low.

Advertisement. Scroll to continue reading.

“As more threat actors begin to use this vulnerability in their attacks, organizations are strongly urged to prioritize applying the updates provided by PaperCut to reduce their attack surface,” Microsoft notes.

Also tracked as Ajax Security Team, Charming Kitten, APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453, Mint Sandstorm has been active since at least 2011, targeting governments, critical infrastructure, activists, journalists, and other entities.

Recently, the threat actor was observed moving from reconnaissance to targeting US critical infrastructure organizations, likely in preparation of destructive cyberattacks.

Called Mango Sandstorm under Microsoft’s new APT naming scheme, the second Iranian group is also tracked as Mercury, MuddyWater, Seedworm, and Static Kitten, and has been actively launching espionage campaigns against entities in the Middle East since at least 2017.

Officially linked by the US to the Iranian Ministry of Intelligence and Security (MOIS), Mango Sandstorm was recently seen launching destructive cyberattacks disguised as ransomware.

Related: ‘BouldSpy’ Android Malware Used in Iranian Government Surveillance Operations

Related: US Cyberwarriors Thwarted 2020 Iran Election Hacking Attempt

Related: Iranian APT Leaks Data From Saudi Arabia Government Under New Persona

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.