Clop and LockBit ransomware affiliates are behind the recent attacks exploiting vulnerabilities in PaperCut application servers, according to Microsoft and Trend Micro researchers.
The detected campaings
“Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505),” Microsoft shared.
“Lace Tempest (DEV-0950) is a Clop ransomware affiliate that has been observed using GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. The threat actor incorporated the PaperCut exploits into their attacks as early as April 13.”
The attackers are attempting to steal LSASS credentials, deliver Truebot downloader malware and a Cobalt Strike Beacon implant. They move laterally within targets’ network by using Windows Management Instrumentation (WMI), and exfiltrate files via the MegaSync file-sharing app.
“We’re monitoring other attacks also exploiting these vulnerabilities, including intrusions leading to Lockbit deployment. More threat actors could follow suit,” they warned.
Trend Micro researchers documented a Lockbit campaign that starts with the exploitation of CVE-2023-27350.
The attackers run a PowerShell script via the exploited app and download the LockBit ransomware from a temporary hosting site.
Urgent action is needed
Clop and LockBit ransomware-as-a-service (RaaS) affiliates are among the five most active ransomware threat actors.
Microsoft says that the Clop affiliate is exploiting CVE-2023-27350 (a RCE flaw) and CVE-2023-27351 (an information disclosure flaw). Trend Micro says the LockBit affiliate is exploiting just the former.
In any case, admins are advised to upgrade to one of the versions with fixes for both: PaperCut MF and NG versions 20.1.7, 21.2.11 or 22.0.9 – especially because a PoC for CVE-2023-27350 has been publicly released, so more threat actors could start using it.
PaperCut has published advice on what to do if you suspect one of your servers has been compromised, and Trend Micro’s Zero Day Initiative has released rules and filters that can help protect against exploitation of this vulnerability.