We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Iranian Threat Actors Exploit PaperCut Vulnerability

Iranian Threat Actors Exploit PaperCut Vulnerability
Author Image Husain Parvez
Husain Parvez Published on 11th May 2023 Cybersecurity Researcher

Microsoft revealed over the weekend that financially motivated actors are not the only ones exploiting a critical vulnerability in PaperCut print management software. Iranian state-sponsored threat actors Mango Sandstorm (also referred to as Mercury or Muddywater) and Mint Sandstorm (also known as Phosphorus or APT35) have also been found to be exploiting the vulnerability to gain access to networks controlled by businesses, local governments, and education and healthcare institutions.

According to tweets by the Microsoft Threat Intelligence team, the exploitation of PaperCut by Mint Sandstorm appears to be opportunistic, targeting organizations in various sectors and geographic locations. The exploitation activity linked to Mango Sandstorm is believed to be relatively low, with the state-sponsored group reportedly utilizing tools from previous intrusions to establish a connection to their command-and-control infrastructure.

As previously reported, the PaperCut vulnerability, named CVE-2023-27350, can allow unauthorized remote attackers to bypass authentication and execute arbitrary code with the privileges of the System user. It received a score of 9.8 out of 10 in terms of severity. While the vulnerability was promptly fixed in March, unpatched systems are still vulnerable. In late April, PaperCut issued a warning to its customers to update their installations immediately, as initial attacks were being reported targeting the vulnerability.

However, endpoint and response security firm Huntress cautioned that numerous PaperCut MF/NG deployments were still unpatched. Several days later, Microsoft disclosed that it had detected a Clop ransomware operator utilizing the vulnerability for several weeks.

On April 21st, the Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its catalog of actively exploited vulnerabilities. Federal agencies were also ordered to secure their PaperCut servers within three weeks, with a deadline of May 12th, 2023.

PaperCut's enterprise printing management software is used by large corporations, state organizations, and educational institutions worldwide. According to the developer, the software has over 100 million users across 70,000 companies.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.