PaperCut NG Remote Web Access Attempt

name: PaperCut NG Remote Web Access Attempt
id: 9fcb214a-dc42-4ce7-a650-f1d2cab16a6a
version: 10
creation_date: '2023-05-15'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: |
    The following analytic detects potential exploitation attempts on publicly accessible PaperCut NG servers.
    It identifies connections from public IP addresses to the server, specifically monitoring URI paths commonly used in proof-of-concept scripts for exploiting PaperCut NG vulnerabilities.
    This detection leverages web traffic data from the `Web` datamodel, focusing on specific URI paths and excluding internal IP ranges.
    This activity is significant as it may indicate an attempt to exploit known vulnerabilities in PaperCut NG, potentially leading to unauthorized access or control of the server.
    If confirmed malicious, attackers could gain administrative access, leading to data breaches or further network compromise.
data_source:
    - Suricata
search: |
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime
    
    from datamodel=Web WHERE
    
    Web.url IN (
      "*/app?service=direct/1/PrinterDetails/printerOptionsTab.tab"
      "*/app?service=direct/1/PrinterList/selectPrinter&sp=*",
      "*/app?service=page/PrinterList",
      "*/app?service=page/SetupCompleted"
    )
    NOT src IN (
                  "10.0.0.0/8",
                  "172.16.0.0/12",
                  "192.168.0.0/16",
                  "100.64.0.0/10",
                  "127.0.0.0/8",
                  "169.254.0.0/16",
                  "192.0.0.0/24",
                  "192.0.0.0/29",
                  "192.0.0.8/32",
                  "192.0.0.9/32",
                  "192.0.0.10/32",
                  "192.0.0.170/32",
                  "192.0.0.171/32",
                  "192.0.2.0/24",
                  "192.31.196.0/24",
                  "192.52.193.0/24",
                  "192.88.99.0/24",
                  "224.0.0.0/4",
                  "192.175.48.0/24",
                  "198.18.0.0/15",
                  "198.51.100.0/24",
                  "203.0.113.0/24",
                  "240.0.0.0/4",
                  "::1"
                )
    by Web.http_user_agent Web.http_method
       Web.url,Web.url_length Web.src
       Web.dest Web.dest_port
    
    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `papercut_ng_remote_web_access_attempt_filter`
how_to_implement: |-
    To successfully implement this search you need to be ingesting information on Web traffic that include fields relevant for traffic into the `Web` datamodel.
known_false_positives: |-
    False positives may be present if you allow access to the PaperCut NG server from public IP addresses. Filter as needed.
references:
    - https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability
    - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
    - https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/
    - https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/
    - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: URIs specific to PaperCut NG have been access by a public IP $src$ against $dest$.
    entity:
        field: dest
        type: system
        score: 50
analytic_story:
    - PaperCut MF NG Vulnerability
asset_type: Web Server
mitre_attack_id:
    - T1190
    - T1133
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: web
security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-suricata.log
          source: not_applicable
          sourcetype: suricata
      test_type: unit