Attacks exploiting a critical improper access vulnerability in PaperCut servers, tracked as CVE-2023-27350, have been underway over the past two weeks, with Russian hackers suspected to be behind the intrusions, reports The Hacker News
Nearly 1,800 internet-exposed servers have already been compromised to facilitate the installation of Atera and Syncro remote management and maintenance software that has been hosted in a domain that was previously used to host the TrueBot malware
, which has been tied to Russian threat operation Silence, which is linked to Evil Corp and the TA505 threat cluster, a report from Huntress revealed.
"While the ultimate goal of the current activity leveraging PaperCut's software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning. Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment," said Huntress.
Meanwhile, proof-of-concept code for the vulnerability that could be exploited for remote code execution has also been published by Horizon3.ai.