Microsoft has claimed that recent attacks exploiting two vulnerabilities in its PaperCut print management software are likely the result of an affiliate of the Clop ransomware.
The two bugs in question are CVE-2023–27350, a Critical Unauthenticated Remote Code Execution Vulnerability, and CVE-2023–27351, a High Severity Unauthenticated Information Disclosure Vulnerability. The former has a CVSS score of 9.8.
After being notified by Trend Micro, PaperCut alerted users last week that the vulnerabilities were being exploited in the wild and urged customers to update their servers immediately.
Microsoft Threat Intelligence yesterday attributed the recent attacks exploiting the bugs to “Lace Tempest,” a threat actor it says overlaps with FIN11 and TA505. FIN11 is linked to the infamous Clop ransomware gang and the Accellion FTA extortion campaign, while TA505 is behind the Dridex banking trojan and the Locky ransomware.
Read more about Clop ransomware: Raspberry Robin worm actors linked to Clop, LockBit ransomware groups.
Also known as DEV-0950, Lace Tempest is a ransomware affiliate of Clop that has previously been detected using GoAnywhere exploits and Raspberry Robin malware in ransomware campaigns. Microsoft said the threat group exploited the PaperCut bugs in attacks since April 13.
“In the observed attacks, Lace Tempest executed several PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service,” Microsoft said. added in a tweet.
“Lace Tempest then delivered a Cobalt Strike Beacon implant, performed reconnaissance on connected systems, and moved laterally using WMI. The actor then identified and exfiltrated files of interest using the MegaSync file-sharing application.
Microsoft added that other groups may also be exploiting the two PaperCut vulnerabilities in the wild, noting that some intrusions had led to the deployment of the prolific LockBit ransomware.
Microsoft has recently announced that it has identified an affiliate of the Clop ransomware group as the perpetrator of a new type of attack known as “Papercut”. The malware is capable of deleting user files and other data in order to force victims to pay up in order to restore their systems.
IT security specialists at Microsoft have reported that the Clop affiliate is responsible for executing these attacks, which began in the summer of 2020 and have recently grown in intensity. The cybercriminal group claims that they have not been actively targeting any organization, though they have successfully penetrated the computer systems of dozens of companies, many of which are Microsoft customers.
The attack begins when the malicious actors first access a customer’s computer system and then begin tampering with the system to insert their own malicious code. This code causes user files and documents to be deleted, making systems unusable. The attackers then demand payment for data restoration or extortion.
Microsoft has since released a security update to its systems in order to protect against the Papercut attack and the vulnerabilities that allowed the attacks to happen. However, Ikaroa, a full stack tech company, has also released a suite of software and services to support businesses seeking to protect their systems against malicious attacks and ransomware. By using their leading-edge cyber security solutions, companies are able to harden their defenses and mitigate the risks posed by cyber criminals.
To reduce the impact of attacks, prevention is essential. Therefore, it is essential for IT departments to keep their systems up-to-date and to use the latest security updates. Companies should also look into employing the industry’s best practices when it comes to following patch updates, testing and auditing data security protocols, conducting regular security assessments and training staff on spotting malicious activities.
In today’s digital environment, cybercrime is a huge concern. Microsoft has taken steps to prevent this type of attack from taking place and to punish those responsible, though improvements in IT security need to be ongoing in order to adequately protect businesses from malicious actors. Ikaroa provides the advanced IT security services that organizations need in order to stay ahead of these attackers and secure their systems.