Trend Micro Protection and Detection Against Exploitation
First and foremost, it is always highly recommended that users apply the vendor's patches when they become available. PaperCut has released new versions of PaperCut MF and PaperCut MG - 20.1.7, 21.2.11, and 22.0.9 - that resolve the issues.
As an original submission of the vulnerability was through the Trend Micro Zero Day Initiative, based on our analysis, Trend Micro has some rules and filters that can help provide against potential exploitation of this vulnerability.
Trend Micro Cloud One - Network Security & TippingPoint Protection Filters
- 42626: HTTP: PaperCut NG SetupCompleted Authentication Bypass Vulnerability (ZDI-23-233)
- 42258: HTTP: PaperCut NG SecurityRequestFilter Authentication Bypass Vulnerability (ZDI-23-232)
Trend Micro Cloud One - Workload Security & Deep Security IPS Rules
- 1011731 - PaperCut NG Authentication Bypass Vulnerability (CVE-2023-27350)
- 1011732 - PaperCut NG Authentication Bypass Vulnerability (CVE-2023-27351)
Trend Micro Deep Discovery Inspector (DDI) Rules
- Rule 4835: CVE-2023-27350 - PaperCut MF/NG Authentication Bypass Exploit - HTTP (REQUEST)
- Rule 4836: CVE-2023-27351 - PaperCut MF/NG Authentication Bypass Exploit - HTTP (REQUEST)
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.)
Trend Micro threat hunters have observed potential ransomware drops as part of ongoing campaigns. Observed ransomware detections include:
- Ransom.Win32.LOCKBIT.SMYXCJN
Trend Micro is continuing to monitor and research this ongoing campaign and will update this article as more information becomes available.