AA23-131A Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG
Indicators
On May 12, 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials. PaperCut released a patch in March 2023.
This STIX file provides indicators of compromise (IOCs) associated with malicious activity reported in CISA Joint Cybersecurity Advisory, AA23-131A Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG
//node() | //@*
DISCLAIMER: This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is distributed as TLP:WHITE: Disclosure is not limited. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
2023-05-11T00:00:00Z
Malicious File Indicator
File Hash Watchlist
socks.exe
12082688
MD5
E574AD52562FCE9EA506F47E79516A52
SHA1
D9F7A36DB2A5117D73712FB93DF23E3C2FC693FB
SHA256
6BB160EBDC59395882FF322E67E000A22A5C54AC777B6B1F10F1FEF381DF9C15
Malicious URL Indicator
URL Watchlist
upd488.windowservicecemter.com/download/update.dll
Malicious FQDN Indicator
study.abroad.ge
Malicious IPv4 Indicator
IP Watchlist
89.105.216.106
Malicious IPv4 Indicator
IP Watchlist
80.94.95.103
Malicious IPv4 Indicator
IP Watchlist
5.8.18.233
Malicious IPv4 Indicator
IP Watchlist
46.4.20.30
Malicious IPv4 Indicator
IP Watchlist
206.197.244.75
Malicious IPv4 Indicator
IP Watchlist
198.50.191.95
Malicious IPv4 Indicator
IP Watchlist
195.123.246.20
Malicious IPv4 Indicator
IP Watchlist
194.87.82.7
Malicious IPv4 Indicator
IP Watchlist
176.97.76.163
Malicious IPv4 Indicator
IP Watchlist
172.106.112.46
Malicious IPv4 Indicator
IP Watchlist
102.130.112.157
Malicious E-mail Indicator
Malicious E-mail
prepalkeinuc0u@gmx.com
Malicious E-mail Indicator
Malicious E-mail
main-office@data-highstream.com
Malicious E-mail Indicator
Malicious E-mail
fimaribahundqf@gmx.com
Malicious E-mail Indicator
Malicious E-mail
decrypt.support@privyonline.com
Malicious File Indicator
File Hash Watchlist
update.dll
109056
MD5
F0C715E8318BB8A57B7072144753ACAC
SHA1
587BBB7EF50A72954D4EF9B22B27D4A377ADC2FA
SHA256
0CE7C6369C024D497851A482E011EF1528AD270E83995D52213276EDBE71403F
Malicious IPv4 Indicator
IP Watchlist
92.118.36.199
Malicious E-mail Indicator
Malicious E-mail
tpyrcne@onionmail.org
Malicious IPv4 Indicator
IP Watchlist
192.184.35.216
Malicious URL Indicator
URL Watchlist
http://192.184.35.216:443/4591187629.exe
Malicious FQDN Indicator
upd488.windowservicecemter.com
Malicious FQDN Indicator
winserverupdates.com
Malicious FQDN Indicator
windowservicecenter.com
Malicious FQDN Indicator
windowservicecentar.com
Malicious FQDN Indicator
windowservicecemter.com
Malicious FQDN Indicator
windowcsupdates.com
Malicious FQDN Indicator
updateservicecenter.com
Malicious FQDN Indicator
netviewremote.com
Malicious FQDN Indicator
anydeskupdates.com
Malicious FQDN Indicator
anydeskupdate.com
Malicious File Indicator
File Hash Watchlist
46fe07c07fd0f45ba45240ef9aae2a44; undefined.exe
MD5
46FE07C07FD0F45BA45240EF9AAE2A44
SHA1
B918F97C7C6EBC9594DE3C8F2D9D75ECC292D02B
SHA256
C0F8AEEB2D11C6E751EE87C40EE609ACEB1C1036706A5AF0D3D78738B6CC4125
Malicious FQDN Indicator
upd343.winserverupdates.com
Malicious FQDN Indicator
ber6vjyb.com
Malicious IPv4 Indicator
IP Watchlist
216.122.175.114
Malicious IPv4 Indicator
IP Watchlist
5.8.18.240
Malicious IPv4 Indicator
IP Watchlist
5.188.206.14
Malicious IPv4 Indicator
IP Watchlist
192.160.102.164
Execution - Command and Scripting Interpreter: PowerShell [T1059.001]
Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003]
Privilege Escalation - Exploitation for Privilege Escalation [T1068]
Discovery - System Owner/User Discovery [T1033]
Impact - Data Encrypted for Impact [T1486]