Iran-based state-sponsored threat groups have joined an ongoing hacking spree targeting two recently fixed vulnerabilities in print management software PaperCut, widely used by government agencies, universities, and large companies worldwide.

Microsoft said that two hacking groups it tracks as Mint Sandstorm (previously known as Phosphorus) and Mango Sandstorm (aka Mercury) have been observed targeting vulnerable PaperCut MF/NG print management servers unpatched against the CVE-2023-27350 flaw that allows to execute arbitrary code with SYSTEM privileges.

“After public POCs were published for CVE-2023-27350, Mint Sandstorm & Mango Sandstorm quickly adapted the exploit in their operations to achieve initial access. This activity shows Mint Sandstorm’s continued ability to rapidly incorporate POC exploits into their operations,” the company noted in a series of tweets.

Mint Sandstorm’s attacks appear to be opportunistic targeting, while Mango Sandstorm’s exploitation activity remains low, with operators using tools from previous campaigns to connect to their command and control infrastructure.

In late April, Microsoft observed Clop and Lockbit ransomware gangs exploiting the CVE-2023–27350 and CVE-2023–27351 PaperCut vulnerabilities in their attacks. Given that more and more threat actors are weaponizing these flaws, organizations are strongly recommended to apply the updates provided by PaperCut to reduce the risk of attacks.