PaperCut NG Remote Web Access Attempt

Name:PaperCut NG Remote Web Access Attempt
id:9fcb214a-dc42-4ce7-a650-f1d2cab16a6a
version:4
date:2024-11-15
author:Michael Haag, Splunk
status:production
type:TTP
Description:The following analytic detects potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server, specifically monitoring URI paths commonly used in proof-of-concept scripts for exploiting PaperCut NG vulnerabilities. This detection leverages web traffic data from the `Web` datamodel, focusing on specific URI paths and excluding internal IP ranges. This activity is significant as it may indicate an attempt to exploit known vulnerabilities in PaperCut NG, potentially leading to unauthorized access or control of the server. If confirmed malicious, attackers could gain administrative access, leading to data breaches or further network compromise.
Data_source:

• -Suricata

search:| tstats count from datamodel=Web where Web.url IN ("/app?service=page/SetupCompleted", "/app", "/app?service=page/PrinterList", "/app?service=direct/1/PrinterList/selectPrinter&sp=*", "/app?service=direct/1/PrinterDetails/printerOptionsTab.tab") NOT (src IN ("10.*.*.*","172.16.*.*", "192.168.*.*", "169.254.*.*", "127.*.*.*", "fc00::*", "fd00::*", "fe80::*")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `papercut_ng_remote_web_access_attempt_filter`

how_to_implement:To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.
known_false_positives:False positives may be present, filter as needed.
References:
  -https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability
  -https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
  -https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/
  -https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/
  -https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
drilldown_searches:
 name:'View the detection results for - "$dest$"'
 search:'%original_detection_search% | search dest = "$dest$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$dest$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'PaperCut MF NG Vulnerability'
  asset_type:Web Server
  atomic_guid:
  mitre_attack_id:
    - 'T1190'
    - 'T1133'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:network

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-suricata.log
  source: suricata
  sourcetype: suricata
manual_test:None