The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

**Summary**

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

**Affected Products**

*   SolarWinds Platform 2023.1 and earlier

**Fixed Software Release**

*   SolarWinds Platform 2023.2

**Acknowledgments**

*   Juampa Rodriguez (@UnD3sc0n0c1d0)

**Workarounds**

SolarWinds recommends customers upgrade to SolarWinds Platform version 2023.2 as soon as it becomes available. The expected release is by the end of April 2023. SolarWinds also recommends customers to follow the guidance provided in the SolarWinds Secure Configuration Guide. Ensure only authorized users can access the SolarWinds Platform. Special attention should be given to the following points from the documentation:

*   Be careful not to expose your SolarWinds Platform website on the public internet. If you must enable outbound internet access from SolarWinds servers, create a strict allow list and block all other traffic. See SolarWinds Platform Product Features Affected by Internet Access.
*   Disable unnecessary ports, protocols, and services on your host operating system and on applications like SQL Server. For more details, see the SolarWinds Port Requirements guide and Best practices for configuring Windows Defender Firewall (© 2023 Microsoft, available at https://docs.microsoft.com, obtained on March 28, 2023.)
*   Apply proper segmentation controls on the network where you have deployed the SolarWinds Platform and SQL Server instances.

CVE-2022-47509: SolarWinds Trust Center Security Advisories | CVE-2022-47509

Kim Jong Un's Swiss Army knife APT continues to spread its tendrils around the world, showing it's not intimidated by the researchers closing in.

Globally, interest has surged around North Korea's Kimsuky advanced persistent threat group (a.k.a. APT43) and its hallmarks. Still, the group is showing no signs of slowing down despite the scrutiny.

Kimsuky is a government-aligned threat actor whose main aim is espionage, often (but not exclusively) in the fields of policy and nuclear weapons research. Its targets have spanned the government, energy, pharmaceutical, and financial sectors, and more beyond that, mostly in countries that the DPRK considers arch-enemies: South Korea, Japan, and the United States.

Kimsuky is by no means a new outfit — CISA has traced the group's activity all the way back to 2012. Interest peaked last month thanks to a report from cybersecurity firm Mandiant, and a Chrome extension-based campaign that led to a joint warning from German and Korean authorities. In a blog published April 20, VirusTotal highlighted a spike in malware lookups associated with Kimsuky, as demonstrated in the graph below.

    

Volume of lookups for Kimsuky malware samples. Source: Virus Total

Many an APT has crumbled under increased scrutiny from researchers and law enforcement. But signs show Kimsuky is unfazed.

"Usually when we publish insights they'll go 'Oh, wow, we're exposed. Time to go underground,'" says Michael Barnhart, principal analyst at Mandiant, of typical APTs.

In Kimsuky's case, however, "no one cares at all. We've seen zero slowdown with this thing."

**What's Going on With Kimsuky?**

Kimsuky has gone through many iterations and evolutions, including an outright split into two subgroups. Its members are most practiced at spear phishing, impersonating members of targeted organizations in phishing emails — often for weeks at a time — in order to get closer to the sensitive information they're after.

The malware they've deployed over the years, however, is far less predictable. They've demonstrated equal capability with malicious browser extensions, remote access Trojans, modular spyware, and more, some of it commercial and some not.

In the blog post, VirusTotal highlighted the APT's propensity for delivering malware via .docx macros. In a few cases, though, the group utilized CVE-2017-0199, a 7.8 high severity-rated arbitrary code execution vulnerability in Windows and Microsoft Office.

With the recent uptick in interest around Kimsuky, VirusTotal has revealed that most uploaded samples are coming from South Korea and the United States. This tracks with the group's history and motives. However, it also has its tendrils in countries one might not immediately associate with North Korean politics, like Italy and Israel.

For example, when it comes to lookups — individuals taking an interest in the samples — the second most volume comes from Turkey. "This may suggest that Turkey is either a victim or a conduit of North Korean cyber attacks," according to the blog post.

    

Kimsuky malware sample lookups by country. Source: VirusTotal

**How to Defend Against Kimsuky**

Because Kimsuky targets organizations across countries and sectors, the range of organizations who need to worry about them is greater than most nation-state APTs.

"So what we've been preaching everywhere," Barnhart says, "is strength in numbers. With all these organizations around the world, it's important that we all talk to each other. It's important that we collaborate. No one should be operating in a silo."

And, he emphasizes, because Kimsuky uses individuals as conduits for greater attacks, everybody has to be on the lookout. "It's important that we all have this baseline of: don't click on links, and use your multi-factor authentication."

With simple safeguards against spear phishing, even North Korean hackers can be thwarted. "From what we're seeing, it does work if you actually take the time to follow your cyber hygiene," Barnhart notes.

North Korea's Kimsuky APT Keeps Growing, Despite Public Outing

An uptick in EvilExtractor activity aims to compromise endpoints to steal browser from targets across Europe and the US, researchers say.

A phishing campaign that launched in March and is actively targeting Microsoft operating system users in Europe and the US is making the rounds, using the EvilExtractor tool as its weapon of choice.

Research this week from FortiGuard Labs details the EvilExtractor attack chain, explaining that it usually starts with a legitimate-seeming Adobe PDF or Dropbox link, which instead deploy a malicious PowerShell when opened or clicked, before eventually leading to the modular EvilExtractor malware.

"Its primary purpose seems to be to steal browser data and information from compromised endpoints, and then upload it to the attacker’s FTP server," FortiGuard Labs researchers wrote.

The report points out that EvilExtractor was first developed by Kodex, which claimed that, despite its obvious name, it's used as an "educational tool,' according to the EvilExtractor report. "However, research conducted by FortiGuard Labs shows cybercriminals are actively using it as an info-stealer."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'EvilExtractor' All-in-One Stealer Campaign Targets Windows User Data

While Intel is building more hardware protections directly into the chips, enterprises still need a strategy for applying security updates on these components.

Intel is taking a new tack with its latest commercial PC chips announced last month: Instead of touting speed and performance, the company is emphasizing the chip's security features.

The chip giant has been working with security vendors in recent years to implement hardware-level protections on the chips to protect laptops from ransomware and malware attacks. The new 13th Gen Intel Core vPro processors include under-the-hood improvements at the firmware and operating system levels that boost system protection and management, the company says.

Attackers will find it harder to compromise the firmware through hardware exploits because many of the new upgrades are in the chip's firmware and BIOS, and the chip's security layer contains prevention and detection capabilities. For example, there is a better handshake between the firmware and Microsoft's virtualization technology in Windows 11 to prevent intrusions, says Mike Nordquist, vice president and general manager of Intel Business Client Product Planning and Architecture. He notes that Hyper-V on Windows 11 works with vPro to store secrets and credentials in a virtual container.

"If you only have detection, you keep letting everyone in your front door. You are never really going to address the problem. You have to figure out how to close that front door," Nordquist says.

**Secure Enclaves on Chip**

Intel's vPro now provides the hooks for critical applications running on Windows 11 to be encrypted in memory through a feature called Total Memory Encryption-Multi-Key.

Microsoft provides the ability to encrypt storage drives, but it recently added the ability to encrypt data in memory. Intel's newer Core chips, code-named Raptor Lake, come ready for that feature; they have 16 memory slots in which applications can be encrypted, with separate keys needed to unlock the data.

The feature helps prevent side-channel attacks, which typically involve breaking into a chip and stealing unencrypted data from sources that include memory. Hackers would need a key to unlock the data, and isolating applications in 16 different slots makes it an even bigger challenge to steal data.

Applications are encrypted in virtual machines created in the memory slots, and system administrators can enable or disable the feature.

"We're not encrypting the entirety of the memory, because if you don't need to do it, it is basically going to impact performance," says Venky Venkateswaran, director of client product security and virtualization architecture and definition for Intel's Client Computing Group.

A new vPro technology to prevent security threats, TDT (threat detection technology), uses libraries baked into the chips to identify abnormal activity and security threats on a PC. The library assesses telemetry coming from CPUs that may be related to abnormal processing activity as a result of a security breach.

For example, the libraries can tell if a cryptocurrency mining application is calling on an abnormally high number of crypto instructions. That information is sent to security applications, which use that data in their engine to triage and stop threats.

The libraries have models tuned to weed out ransomware and other types of attack.

"We have low-level telemetry and an AI engine of sorts that can weed out the noise ... you don't want to have false positives," Venkateswaran says.

Intel is partnering with several antivirus vendors, including Microsoft, CrowdStrike, Eset, and Check Point Technologies, to integrate TDT features into security software. This way, the vendors get access to hardware telemetry to detect threats in virtual machines. For example, Eset Endpoint Security will be able to detect ransomware through Intel's performance monitoring unit (PMU), which sits underneath applications in the operating system.

**Patching Components**

Intel is working with PC makers to bring a standard methodology to patch PCs, and it is not putting all the eggs in one basket when it comes to securing systems. The focus is on establishing islands of security for different hardware components.

"There's no reason the BIOS needs to be able to have access to the OS memory. There is no value-add in it," Nordquist says. "So we actually deprivileged that at a base level ... and we did an enhanced level where we could really lock it down good. On vPro, that is a little bit better."

Attack vectors for PCs are different from servers and require a different security profile, he says.

"Before, PCs were designed to make sure the OS was protected. What if I want to protect something from the OS? What if I do not trust the hypervisor? I need the next level of security to deal with that," Nordquist says.

**Squashing Chip Bugs**

As a sign that Intel is serious about making hardware security a priority, the company last year awarded $935,751 in bug bounties to security researchers disclosing security flaws in its chips and firmware. The company has paid a total of $4 million since the inception of the program in 2017, according to its most recent annual security research report.

"These firmware updates are usually released on Intel's website, and the device vendor is responsible for distributing them. Some of them can be delivered automatically by Microsoft Windows Update, but only limited vendors can update their devices through it," says Alex Matrosov, founder of Binarly, whose firmware security platform helps people discover and patch hardware vulnerabilities. "CISOs should start paying more attention to threats and device ... security below the operating system. Every mature enterprise organization should invest in firmware security and specifically vulnerability management for their device security pasture."

Intel Prioritizes Security in Latest vPro Chips

The transition from traditional logins to cryptographic passkeys is getting messy. But don’t worry—there’s a plan.

There was never a question that it would take years to transition the world away from passwords. The digital authentication technology, though deeply flawed, is pervasive and inveterate. Over the last five years, though, the secure-authentication industry association known as the FIDO Alliance has been making real progress promoting “passkeys,” a password-less alternative for signing into applications and websites. And yet, you probably still use a lot of passwords every day. In fact, you may not have any accounts protected by a passkey at all, despite broad adoption from Microsoft, Google, Apple, and many more.  

At the RSA security conference in San Francisco next week, Christiaan Brand, co-chair of the FIDO2 technical working group and an identity and security product manager at Google, will present a talk on new features and growth in passkey adoption. He also plans to examine the current challenges that passkeys face in countering the inertia passwords have built up over decades—and the long game of slowly grinding down the password's dominance.

“What I want to highlight is how far we’ve come, but which problems still remain unsolved,” Brand says. “Passwords are everywhere, and they are bad, but everyone is accustomed to them. Users don’t want to be surprised, and they don’t like change. So it’s very important to think about passkeys as an augmentation. We need to kind of push users toward the thing that will be easier and more secure."

Over the past year, Brand says, FIDO has made significant progress rolling out features to support its password-less vision. The infrastructure is now in place to back up passkeys so they can sync between devices, get services to prompt users about passkeys rather than always defaulting to username and password, and use Bluetooth-based proximity sensing to share passkey authentication between devices. All three of these points address major usability issues that FIDO publicly set out to improve a year ago.

In practice, though, there are still hurdles, and developing these solutions has taken time. For example, Brand says the new Bluetooth-based proximity-sensing protocol was carefully engineered to avoid the security issues that often plague Bluetooth implementations. The idea was to strip away most of Bluetooth's functionality and exclusively use the protocol for proximity checks rather than any data transfers. This approach has allowed passkeys to bypass many of Bluetooth's quirks and reliability issues when attempting to pair devices. 

Developing a coherent “user experience” (UX) for passkeys across different operating systems and web services is an ongoing challenge, though. If you, say, log into your Google account from a Mac using traditional passwords, your credentials still get checked against what Google has on file for your account on one of the company's servers. But the security and phishing-resistant benefits of passkeys come from the fact that they work differently. If you use a passkey to log into your Google account from a Mac, the cryptographic check happens locally and Apple is never directly involved—everything the user experiences during the interaction is facilitated by macOS, not Google.

“If I'm Google implementing passkeys, I cede a lot of control to Apple if my user is on an Apple device, I cede a lot of control to Microsoft if the user is on a Windows device, I cede a lot of UX control to Android and browsers,” Brand says. “So I think we’re in the technology infancy, where all of these different platforms have come up with different UX patterns and UX paradigms. Stitching all of that together is kind of tricky, and that’s probably going to take another nine to 12 months for the industry to support.”

Another big challenge with establishing consistency and continuity will be the long transition to passkeys alone. For the foreseeable future, services must continue to support username and password logins and make sure those systems are as secure and up-to-date as possible while primarily supporting the growth and evolution of passkeys. As password login systems fade from prominence and are neglected, they could produce new types of security exposures in their disrepair.

For now, though, the tech industry is still in the early stages of this long haul transition.

“Part of the problem is that all the stuff that I have in my presentation, we haven’t really seen this put into practice yet,” Brand says. “There are passkey implementations out there, and some folks have dipped their toe in the water, but a lot of the stuff isn’t really in the mainstream consciousness of developers, and certainly not for users. The mass, super-scale adoption is still something that we’re working to make happen.”

The War on Passwords Enters a Chaotic New Phase

We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX, a complex, lengthy intrusion that has the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.

We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider **3CX.** The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on **LinkedIn** to lure people into opening malware disguised as a job offer; malware targeting **Mac** and **Linux** users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.

Researchers at ESET say this job offer from a phony HSBC recruiter on LinkedIn was North Korean malware masquerading as a PDF file.

In late March 2023, 3CX disclosed that its desktop applications for both **Windows** and **macOS** were compromised with malicious code that gave attackers the ability to download and run code on all machines where the app was installed. 3CX says it has more than 600,000 customers and 12 million users in a broad range of industries, including aerospace, healthcare and hospitality.

3CX hired incident response firm **Mandiant**, which released a report on Wednesday that said the compromise began in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for **X\_TRADER**, a software package provided by **Trading Technologies**.

“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” reads the April 20 Mandiant report.

Mandiant found the earliest evidence of compromise uncovered within 3CX’s network was through the VPN using the employee’s corporate credentials, two days after the employee’s personal computer was compromised.

“Eventually, the threat actor was able to compromise both the Windows and macOS build environments,” 3CX said in an April 20 update on their blog.

Mandiant concluded that the 3CX attack was orchestrated by the North Korean state-sponsored hacking group known as Lazarus, a determination that was independently reached earlier by researchers at Kaspersky Lab and Elastic Security.

Mandiant found the compromised 3CX software would download malware that sought out new instructions by consulting encrypted icon files hosted on **GitHub**. The decrypted icon files revealed the location of the malware’s control server, which was then queried for a third stage of the malware compromise — a password stealing program dubbed ICONICSTEALER.

The double supply chain compromise that led to malware being pushed out to some 3CX customers. Image: Mandiant.

Meanwhile, the security firm **ESET** today published research showing remarkable similarities between the malware used in the 3CX supply chain attack and Linux-based malware that was recently deployed via fake job offers from phony executive profiles on LinkedIn. The researchers said this was the first time Lazarus had been spotted deploying malware aimed at Linux users.

As reported in a recent series last summer here, LinkedIn has been inundated this past year by fake executive profiles for people supposedly employed at a range of technology, defense, energy and financial companies. In many cases, the phony profiles spoofed chief information security officers at major corporations, and some attracted quite a few connections before their accounts were terminated.

Mandiant, Proofpoint and other experts say Lazarus has long used these bogus LinkedIn profiles to lure targets into opening a malware-laced document that is often disguised as a job offer. This ongoing North Korean espionage campaign using LinkedIn was first documented in August 2020 by **ClearSky Security**, which said the Lazarus group operates dozens of researchers and intelligence personnel to maintain the campaign globally.

**Microsoft Corp.**, which owns LinkedIn, said in September 2022 that it had detected a wide range of social engineering campaigns using a proliferation of phony LinkedIn accounts. Microsoft said the accounts were used to impersonate recruiters at technology, defense and media companies, and to entice people into opening a malicious file. Microsoft found the attackers often disguised their malware as legitimate open-source software like **Sumatra PDF** and the SSH client **Putty**.

Microsoft attributed those attacks to North Korea’s Lazarus hacking group, although they’ve traditionally referred to this group as “**ZINC**“. That is, until earlier this month, when Redmond completely revamped the way it names threat groups; Microsoft now references ZINC as “**Diamond Sleet**.”

The ESET researchers said they found a new fake job lure tied to an ongoing Lazarus campaign on LinkedIn designed to compromise **Linux** operating systems. The malware was found inside of a document that offered an employment contract at the multinational bank HSBC.

“A few weeks ago, a native Linux payload was found on VirusTotal with an HSBC-themed PDF lure,” wrote ESET researchers **Peter Kalnai** and **Marc-Etienne M.Leveille**. “This completes Lazarus’s ability to target all major desktop operating systems. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload.”

ESET said the malicious PDF file used in the scheme appeared to have a file extension of “.pdf,” but that this was a ruse. ESET discovered that the dot in the filename wasn’t a normal period but instead a Unicode character (U+2024) representing a “leader dot,” which is often used in tables of contents to connect section headings with the page numbers on which those sections begin.

“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF,” the researchers continued. “This could cause the file to run when double-clicked instead of opening it with a PDF viewer.”

ESET said anyone who opened the file would see a decoy PDF with a job offer from HSBC, but in the background the executable file would download additional malware payloads. The ESET team also found the malware was able to manipulate the program icon displayed by the malicious PDF, possibly because fiddling with the file extension could cause the user’s system to display a blank icon for the malware lure.

**Kim Zetter**, a veteran Wired.com reporter and now independent security journalist, interviewed Mandiant researchers who said they expect “many more victims” will be discovered among the customers of Trading Technologies and 3CX now that news of the compromised software programs is public.

“Mandiant informed Trading Technologies on April 11 that its X\_Trader software had been compromised, but the software maker says it has not had time to investigate and verify Mandiant’s assertions,” Zetter wrote in her Zero Day newsletter on Substack. For now, it remains unclear whether the compromised X\_Trader software was downloaded by people at other software firms.

If there’s a silver lining here, the X\_Trader software had been decommissioned in April 2020 — two years before the hackers allegedly embedded malware in it.

“The company hadn’t released new versions of the software since that time and had stopped providing support for the product, making it a less-than-ideal vector for the North Korean hackers to infect customers,” Zetter wrote.

3CX Breach Was a Double Supply Chain Compromise

The Open Source Security Foundation's SLSA v1.0 release is an important milestone in improving software supply chain security and providing organizations with the tools they need to protect their software.

The Open Source Security Foundation (OpenSSF) has released v1.0 of Supply-chain Levels for Software Artifacts (SLSA) with specific provisions for the software supply chain.

Modern application development teams regularly reuse code from other applications and pull code components and developer tools from myriad sources. Research from Snyk and the Linux Foundation last year found that 41% of organizations didn't have high confidence in open source software security. With supply chain attacks posing an ever-present and ever-evolving threat, both software development teams and security teams now recognize that open source components and frameworks need to be secured.

SLSA is a community-driven supply chain security standards project backed by major technology companies, such as Google, Intel, Microsoft, VMware, and IBM. SLSA focuses on increasing security rigor within the software development process. Developers can follow SLSA's guidelines to make their software supply chain more secure, and enterprises can use SLSA to make decisions about whether to trust a software package, according to the Open Source Security Foundation.

SLSA provides a common vocabulary to talk about software supply chain security; a way for developers to assess upstream dependencies by evaluating the trustworthiness of source code, builds, and container images used in the application; an actionable security checklist; and a way to measure compliance with the forthcoming Secure Software Development Framework (SSDF).

The SLSA v1.0 release divides SLSA’s level requirements into multiple tracks, each one measuring a particular aspect of software supply chain security. The new tracks will help users better understand and mitigate the risks associated with software supply chains and ultimately develop, demonstrate, and use more secure and reliable software, the OpenSSF says. SLSA v1.0 also provides more explicit guidance on how to verify provenance, along with making corresponding changes to the specification and provenance format.

The Build Track Levels 1-3, which roughly correspond to Levels 1-3 in earlier SLSA versions, describes levels of protection against tampering during or after software build. The Build Track requirements reflect the tasks required: producing artifacts, verifying build systems, and verifying artifacts. Future versions of the framework will build on requirements to address other aspects of the software delivery life cycle.

Build L1 indicates provenance, showing how the package was built; Build L2 indicates signed provenance, generated by a hosted build service; and Build L3 indicates the build service has been hardened.

The higher the level, the higher the confidence that a package can be traced back to its source and has not been tampered with, OpenSSF said.

Software supply chain security is a key component of the Biden administration's US National Cybersecurity Strategy, as it pushes software providers to assume greater responsibility for the security of their products. And recently, 10 government agencies from seven countries (Australia, Canada, Germany, the Netherlands, New Zealand, the United Kingdom, and the United States) released new guidelines, "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default," to urge software developers to take necessary steps to ensure they are shipping products that are both secure by design and by default. That means removing default passwords, writing in safer programming languages, and establishing vulnerability disclosure programs for reporting flaws.

As part of securing the software supply chain, security teams should be engaging with developers to educate them about secure coding practices and tailoring security awareness training to include the risks surrounding the software development life cycle.

OpenSSF Adds Software Supply Chain Tracks to SLSA Framework

Vulnerable MS-SQL database servers have external connections and weak account credentials, researchers warn.

The Trigona ransomware threat actors are waging a campaign against Microsoft SQL database servers because many of them have external connections and weak passwords, leaving them open targets for brute force or dictionary attacks.

These vulnerable MS-SQL servers were designated as "poorly managed" by AhnLab Security's new alert about Trigona's nefarious activities.

"If a threat actor manages to log in, control over the system will be passed to them, allowing them to install malware or execute malicious commands," the report said.

    

The Trigona ransom note. Source: AhnLabs

They're popular repeat targets too, and not just for Trigona: In one instance observed by AhnLab researchers, credentials for a breached MS-SQL server were compromised by several threat actors, leaving traces of various ransomware strains, Remcos RAT, and coinminers, the report said.Additionally, MS-SQL can be installed on both Windows SQL servers and desktop environments. 

"For example, there are cases where MS-SQL is installed alongside certain enterprise resource planning (ERP) and work-purpose solutions during their installation process," the Trigona ransomware report added. "Because of this, Windows servers and Windows desktop environments can both be targeted for MS-SQL server attacks."

AhnLab Security noted Trigona is a relatively new ransomware group, first observed last October.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Trigona Ransomware Trolling for 'Poorly Managed' MS-SQL Servers

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.

We have received two vulnerability reports from a 3rd party cyber security company (Trend Micro), for high/critical severity security issues in PaperCut MF/NG. **We have evidence to suggest that unpatched servers are being exploited in the wild.**

As a precaution, we are not able to reveal too much about these vulnerabilities. We have documented what we can disclose below.

**Critical:** Please note that as of 18th April, 2023 we have evidence to suggest that unpatched servers are being exploited in the wild, (particularly ZDI-CAN-18987 / PO-1216).

Our immediate advice is to upgrade your PaperCut Application Servers to one of the fixed versions listed below if you haven’t already.

If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior. We have also updated the FAQ “How do I know if my server has been exploited?” question below.

**Important:** Both of these vulnerabilities have been **fixed** in PaperCut MF and PaperCut NG versions **20.1.7, 21.2.11 and 22.0.9** and later. We highly recommend upgrading to one of these versions containing the fix (see the Where can I get the upgrade? question below).

**ZDI-CAN-18987 / PO-1216**

_(also identified as CVE-2023–27350)_

We have confirmed that under certain circumstances this allows for an unauthenticated attacker to get Remote Code Execution (RCE) on a PaperCut Application Server. This could be done remotely and without the need to log in.

_This vulnerability has been rated with a CVSS score of 9.8._

**ZDI-CAN-19226 / PO-1219**

_(also identified as CVE-2023–27351)_

We have confirmed that under certain circumstances this allows for an unauthenticated attacker to potentially pull information about a user stored within PaperCut MF or NG - including usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for **internal** PaperCut\-created users only (note that this does **not** include any password hashes for users sync’d from directory sources such as Microsoft 365 / Google Workspace / Active Directory and others). This could be done remotely and without the need to log in. We do not have any evidence of this vulnerability being used against customers at this point.

_This vulnerability has been rated with a CVSS score of 8.2._

**Product status and next steps**

Which PaperCut products are impacted, and what are the actions required?

 

**ZDI-CAN-18987 / PO-1216**  
_CVE-2023–27350_

**ZDI-CAN-19226 / PO-1219**  
_CVE-2023–27351_

**What versions are impacted?**

PaperCut MF or NG version 8.0 or later, on all OS platforms

PaperCut MF or NG version 15.0 or later, on all OS platforms

**Which PaperCut MF or NG components are impacted?**

Application Servers **are** impacted  
Site Servers **are** impacted

Application Servers **are** impacted

**Which PaperCut components or products are _NOT_ impacted?**

PaperCut MF/NG secondary servers (Print Providers).  
PaperCut MF/NG Direct Print Monitors (Print Providers).  
PaperCut Hive.  
PaperCut Pocket.  
Print Deploy.  
Mobility Print.  
PaperCut User Client software.

PaperCut MF/NG secondary servers (Print Providers).  
PaperCut MF/NG Direct Print Monitors (Print Providers).  
PaperCut MF/NG site servers.  
PaperCut Hive.  
PaperCut Pocket.  
Print Deploy.  
Mobility Print.  
PaperCut User Client software.

**Next steps**

We recommend that you upgrade all Application Servers and Site Servers (see Upgrade documentation)

You will **not** need to patch Secondary Servers (Print Providers / Direct Print Monitors) - but you can if you prefer.

We recommend that you upgrade all Application Servers and Site Servers (see Upgrade documentation). Even though the Site Server is not impacted by this vulnerability, you will need to upgrade them to match the version number of the Application Server.

You will **not** need to patch Secondary Servers (Print Providers / Direct Print Monitors) - but you can if you prefer.

**FAQs**

Q Where can I get the upgrade?

Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page (accessed through the Admin interface > About > Version info > Check for updates) will allow customers to download fixes for previous major versions which are still supported (e.g. 20.1.7 and 21.2.11) as well as the current version available.

If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.

Q Is there any impact from applying the upgrade?

There should be no negative impact from applying these security fixes. No other manual steps need to be taken.

Q Where are the release notes for these fixes?

You can see the release notes pages for PaperCut MF and NG which list all fixes included per version:

*   MF - 20.1.7, 21.2.11, 22.0.9
*   NG - 20.1.7, 21.2.11, 22.0.9

Q What are the CVSS scores for these vulnerabilities?

Vulnerability: ZDI-CAN-18987 / PO-1216

*   Score: 9.8 (Critical)
*   Breakdown: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability: ZDI-CAN-19226 / PO-1219

*   Score: 8.2 (High)
*   Breakdown: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Q Is there more information available about these vulnerabilities?

Not at this time - to give customers a chance to upgrade, we are not releasing further details about these vulnerabilities.

Trend Micro have also advised they will disclose further information (TBD) about the vulnerability on 10th May 2023. For more information, see https://www.zerodayinitiative.com/advisories/upcoming/ (filter on “PaperCut”).

Q Is there a mitigation for these vulnerabilities if I don’t want to upgrade?

ZDI-CAN-18987 / PO-1216:

*   No practical pre-patch mitigation strategy has been identified. Customers will need to patch to address the issue.

ZDI-CAN-19226 / PO-1219:

*   Apply “Allow list” restrictions under **Options > Advanced > Security > Allowed site server IP addresses**. Set this to only allow the IP addresses of verified Site Servers on your network.

Q How do I know if my server has been exploited?

There is not currently a 100% solid way to tell if your server(s) have been exploited.

We recommend a review of server access logs and virus and malware scanner results. From a PaperCut point of view we also recommend:

*   Look for suspicious activity in **Logs > Application Log**, within the PaperCut admin interface.
*   Keep an eye out in particular for any updates from a user called [setup wizard].
*   Look for new (suspicious) users being created, or other configuration keys being tampered with.
*   Look for any suspicious processes being run on the Application Server - particularly processes owned by pc-app.exe.
*   If your Application Server server logs happen to be in debug mode, check to see if there are lines mentioning SetupCompleted at a time not correlating with the server installation or upgrade. Server logs can be found e.g. in [app-path]/server/logs/*.* where server.log is normally the most recent log file.

However, these are only examples of suspicious activity - if an attacker does gain access through an unpatched vulnerability, they may also work to cover their steps.

If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior.

Q Is there a maintenance release for versions 19 or older?

No - versions 19 and older are now “end of life”, as documented on our End of Life Policy page.

We recommend purchasing an updated license, which you can do online if you’re using PaperCut NG, or through your PaperCut Partner if you’re using PaperCut MF. You can find your PaperCut Partner contact information through the ‘About’ or ‘Help’ tab in the PaperCut administration interface.

Q I have a version 20 license, but no current M&S (maintenance and support) - can I still get this fix?

Yes! As long as you are running a version which is currently supported (version 20 or later) you can upgrade to whichever maintenance release version you’re licensed for. For example if you are licensed for version 20 but you don’t have a valid license for version 21, you can update to version 20.1.7 as above. See the ‘Where can I get the upgrade?’ question above for more details.

See our Upgrade Policy page for more information on licensing and upgrades.

**Acknowledgements**

PaperCut would like to thank the researchers working with Trend Micro for reporting these issues and working with us to help protect our customers:

*   ZDI-CAN-19226 - Discovered by: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
*   ZDI-CAN-18987 - Discovered by: Anonymous

Trend Micro have also advised they will disclose further information (TBD) about the vulnerability on 10th May 2023. For more information, see https://www.zerodayinitiative.com/advisories/published/ (filter on “PaperCut”).

**Security Updates**

In order to get notifications of security fixes please subscribe to our security notifications list via our sign up form.

**Updates**

**Date**

**Update/Action**

10th January 2023

Vulnerability reported to PaperCut, by Trend Micro (see ZDI-CAN-18987 and ZDI-CAN-19226).

8th March 2023

Released PaperCut MF and NG versions 20.1.7, 21.2.11 and 22.0.9 containing a fix for these vulnerabilities.  
Published this KB article documenting the vulnerability information.  
Sent communications to PaperCut partners and PaperCut security notifications email list.

14th March 2023

Trend Micro published additional details of the vulnerability on their website: ZDI-CAN-18987 and ZDI-CAN-19226.

19th April 2023

Updated this KB with new information discovered on the 18th April - indicating evidence to suggest that unpatched servers are being exploited in the wild.

_Categories:_ FAQ, Security and Privacy

_Keywords:_

CVE-2023-27351: APRIL 19 UPDATE | PaperCut MF/NG vulnerability bulletin (March 2023)

Attackers are using custom malware to exploit drivers and terminate security processes so they can deploy ransomware.

The "AuKill" cybercrime tool has emerged, which threat actors are using to disable endpoint detection and response (EDR) defenses used by enterprises before deploying ransomware. It makes use of malicious device drivers to infiltrate systems.

In two recent incidents, researchers from Sophos observed an adversary using AuKill prior to deploying Medusa Locker ransomware; another time, the security vendor discovered an attacker using the EDR killer on an already compromised system before installing the LockBit ransomware.

Christopher Budd, senior manager of threat research at Sophos, says the trend is a response to the growing effectiveness of EDR tools. "Threat actors are starting to recognize that EDR agents provide security vendors a significant advantage in spotting attacks," he says. "Threat actors are targeting the tools causing them the most trouble."

The attacks are similar to a flurry of incidents that Sophos, Microsoft, Mandiant, and SentinelOne reported in December, where threat actors used custom-built drivers to disable security products on already compromised systems, leaving them open to other exploits.

In those attacks, threat actors used malicious drivers that they tricked Microsoft into digitally signing, therefore making them appear legitimate. In other driver attacks, threat actors have exploited a vulnerability in a legitimate device driver to execute ransomware, escalate privileges, and bypass security controls. Some security vendors and researchers commonly refer to the technique as a "bring your own vulnerable driver" or BYOVD attack.

Aukill itself is a tool that falls into the BYVOD category. It takes advantage of a legitimate but outdated and exploitable version of a driver that Microsoft's Process Explorer 16.32 uses, to disable EDR processes.

**Bring Your Own Vulnerable Driver**

The vulnerable Process Explorer driver that AuKill leverages — like other drivers — has privileged access on installed systems and can interact with and terminate running processes.

It's a free tool that allows users to get detailed information on all running processes on a system, their executable paths, performance metrics, and other information. It offers multiple features for monitoring real-time system activity, prioritizing processes and identity, terminating processes, and executing other functions.

Budd says that in the recent ransomware attacks that Sophos observed, the threat actor injected the tool into systems on which they had already gained access. Once on a system, AuKill drops a driver named PROCEXP.SYS from release version 16.32 of Process Explorer into the same location as the legitimate version of the Process Explorer driver (PROCEXP152.sys).

"The \[legitimate\] Process Explorer driver v.16.32 does not limit its functionality to working with the main Process Explorer executable," Budd says. "So other programs may send API calls to the driver to take advantage of its functionality." In AuKill's case, the tool abuses the legitimate driver to execute instructions to shut down EDR and other security controls on the compromised computer. "They leverage the existing functionality in the Process Explorer driver that permits Process Explorer to terminate running programs," he says.

Sophos has so far analyzed six different versions of AuKill and noticed some substantial changes with each new version. Newer versions, for instance, now target more EDR processes and services for termination. They also include a feature that continuously probes EDR processes and services to ensure that terminated processes remain that way through restart attempts. The malware authors have also added features to make AuKill more robust by having AuKill run multiple threads at once to protect itself from being terminated in response, Budd says.

Sophos' analysis of AuKill showed it to contain similarities in code with BackStab, an open source tool that surfaced in June 2021 that also abused the Process Explorer driver to kill EDR tools. The company's researchers spotted a LockBit actor using BackStab to disable EDR on systems as recently as last November.

Tag

#microsoft