Microsoft Blames Clop Affiliate for PaperCut Attacks

Microsoft has claimed that recent attacks exploiting two vulnerabilities in the PaperCut print management software are likely the result of a Clop ransomware affiliate.

The two bugs in question are CVE-2023–27350 – a critical unauthenticated remote code execution flaw – and CVE-2023–27351 – a high severity unauthenticated information disclosure flaw. The former has a CVSS score of 9.8.

After being notified by Trend Micro, PaperCut alerted users last week that the vulnerabilities were being exploited in the wild and urged customers to update their servers immediately.

Microsoft Threat Intelligence yesterday attributed recent attacks exploiting the bugs to “Lace Tempest,” a threat actor it says overlaps with FIN11 and TA505. FIN11 is linked to the infamous Clop ransomware gang and the Accellion FTA extortion campaign, while TA505 is reportedly behind the Dridex banking Trojan and Locky ransomware.

Read more on Clop ransomware: Raspberry Robin Worm Actors Linked to Clop, LockBit Ransomware Groups.

Also known as DEV-0950, Lace Tempest is a Clop ransomware affiliate that has previously been detected using GoAnywhere exploits and Raspberry Robin malware in ransomware campaigns. Microsoft said the threat group exploited the PaperCut bugs in attacks as early as April 13.

“In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service,” Microsoft added in a tweet.

“Next, Lace Tempest delivered a Cobalt Strike Beacon implant, conducted reconnaissance on connected systems, and moved laterally using WMI. The actor then identified and exfiltrated files of interest using the file-sharing app MegaSync.”

Microsoft added that other groups may also be exploiting the two PaperCut vulnerabilities in the wild, noting that some intrusions had led to deployment of the prolific LockBit ransomware.

Articles You May Like

As part of AI push, Chinese tech giant Baidu is now rolling out an AI venture fund
5 free OSINT tools for social media
Potential Backdoor in Gigabyte PCs Exposes Supply Chain Risks
Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App
Critical Zero-Day Flaw Exploited in MOVEit Transfer

Leave a Reply

Your email address will not be published. Required fields are marked *