Microsoft warned over the weekend that more threat actors have started targeting a recently patched vulnerability in PaperCut MF/NG print management solutions, including Iranian state-sponsored groups.
The critical flaw, tracked as CVE-2023-27350 (CVSS score of 9.8) and patched in March 2023, could allow remote, unauthenticated attackers to bypass authentication and execute arbitrary code with the privileges of the System user.
In late April, PaperCut urged customers to update their installations as soon as possible, raising the alarm on the first attacks targeting the vulnerability, while endpoint and response security firm Huntress warned that most PaperCut MF/NG deployments were unpatched.
A few days later, Microsoft reported that it had seen a Cl0p ransomware operator affiliated with the FIN11 and TA505 Russian groups exploiting the vulnerability for weeks.
Now, the tech giant warns that Iranian state-sponsored threat actors Mint Sandstorm and Mango Sandstorm have adopted publicly available proof-of-concept (PoC) code exploiting the bug and are targeting unpatched PaperCut installations in attacks.
“After public POCs were published for CVE-2023-27350, Mint Sandstorm & Mango Sandstorm quickly adapted the exploit in their operations to achieve initial access. This activity shows Mint Sandstorm’s continued ability to rapidly incorporate POC exploits into their operations,” Microsoft warned.
For the time being, the tech giant says, Mint Sandstorm activity targeting CVE-2023-27350 appears opportunistic, while Mango Sandstorm’s exploitation of the flaw remains low.
“As more threat actors begin to use this vulnerability in their attacks, organizations are strongly urged to prioritize applying the updates provided by PaperCut to reduce their attack surface,” Microsoft notes.
Also tracked as Ajax Security Team, Charming Kitten, APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453, Mint Sandstorm has been active since at least 2011, targeting governments, critical infrastructure, activists, journalists, and other entities.
Recently, the threat actor was observed moving from reconnaissance to targeting US critical infrastructure organizations, likely in preparation of destructive cyberattacks.
Called Mango Sandstorm under Microsoft’s new APT naming scheme, the second Iranian group is also tracked as Mercury, MuddyWater, Seedworm, and Static Kitten, and has been actively launching espionage campaigns against entities in the Middle East since at least 2017.
Officially linked by the US to the Iranian Ministry of Intelligence and Security (MOIS), Mango Sandstorm was recently seen launching destructive cyberattacks disguised as ransomware.
Related: ‘BouldSpy’ Android Malware Used in Iranian Government Surveillance Operations
Related: US Cyberwarriors Thwarted 2020 Iran Election Hacking Attempt
Related: Iranian APT Leaks Data From Saudi Arabia Government Under New Persona