Microsoft has confirmed that the active exploitation of PaperCut servers is related to attacks designed to deliver the Cl0p and LockBit ransomware families.
The tech giant’s threat intelligence team attributes a subset of the intrusions to a financially motivated actor who goes by the name Lace storm (formerly DEV-0950), which overlaps with other hacking groups such as FIN11, TA505 and Evil Corp.
“In the observed attacks, Lace Tempest executed several PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service,” Microsoft said. said in a series of tweets.
The next phase of the attack involved deploying the Cobalt Strike Beacon implant to perform reconnaissance, move laterally through the network using WMI, and exfiltrate files of interest using the MegaSync file sharing service.
Lace Tempest is a Cl0p ransomware affiliate said to have previously exploited Fortra GoAnywhere MFT exploits, as well as initial access gained through Raspberry Robin infections (attributed to another actor named DEV-0856).
Raspberry Robin, also called the QNAP worm, is believed to be access-as-a-service malware used as a delivery vehicle for next-stage payloads such as IcedID, Cl0p, and LockBit. It is known to incorporate various obfuscation, anti-debugging and anti-virtual machine measures to avoid detection.
Microsoft said the threat actor incorporated PaperCut flaws (2023-27350 and CVE-2023-27351) into its attack toolkit on April 13, corroborating the software vendor’s earlier assessment of print management based in Melbourne.
Successful exploitation of both security vulnerabilities could allow unauthenticated remote attackers to achieve arbitrary code execution and gain unauthorized access to sensitive information.
A separate cluster of activity weaponizing the same flaws has also been detected, including those leading to LockBit ransomware infections, Redmond added.
FIN7 exploits Veeam Flaw CVE-2023-27532
The development comes as monitored Russian cybercrime group FIN7 has been linked to attacks that exploit unpatched instances of Veeam backup software to distribute POWERTRASH, a basic PowerShell-based memory counter that runs an embedded payload .
The activity, detected by WithSecure on March 28, 2023, likely involved the misuse of CVE-2023-27532, a high-severity flaw in Veeam Backup & Replication that allows an unauthenticated attacker to obtain stored encrypted credentials to the configuration database and gain access. to the infrastructure hosts. It was patched last month.
“The threat actor used a series of commands and custom scripts to collect host and network information from the compromised machines,” the Finnish cybersecurity company said. “In addition, a series of SQL commands were executed to steal information from the Veeam backup database.”
Also used in the attacks were custom PowerShell scripts to retrieve stored credentials from backup servers, gather system information, and establish an active foothold on the compromised host by running DICELOADER (aka Lizar or Tirion) every when the device starts.
The hitherto undocumented persistence script has been dubbed POWERHOLD, with the DICELOADER malware decoded and executed via another unique loader called DUBLOADER.
“The target of these attacks was unclear at the time of writing as they were mitigated before fully materializing,” said security researchers Neeraj Singh and Mohammad Kazem Hassan Nejad, adding that the findings point to the evolution of trade and the modus operandi of the group.
POWERHOLD and DUBLOADER are far from the only new pieces of malware added by FIN7 to its attack arsenal. IBM Security X-Force recently shed light on a loader and backdoor called Domino that is designed to facilitate the tracking exploit.
Mirai Botnet Exploits TP-Link Archer WiFi Router Bug
In a related development, the Zero Day Initiative (ZDI) revealed that the authors of the Mirai botnet have updated their malware to include CVE-2023-1389, a high-severity flaw in TP-Link Archer AX21 routers that could allow an unauthenticated adversary to execute. arbitrary code on affected installations.
The issue (CVE-2023-1389, CVSS score: 8.8) was demonstrated at the Pwn2Own hacking contest held in Toronto in December 2022 by researchers from the Viettel team, prompting the vendor to issue fixes in March of 2023.
The first signs of wild exploitation, according to ZDI, emerged on April 11, 2023, with threat actors exploiting the flaw to make an HTTP request to Mirai’s command and control (C2) servers to download and execute payloads. responsible for co-opting the device into the botnet and launching DDoS attacks against game servers.
“This is nothing new for the maintainers of the Mirai botnet, who are known for quickly exploiting IoT devices to maintain their place in an enterprise,” said ZDI threat researcher Peter Girnus. “Applying this patch is the only recommended action to address this vulnerability.”
Microsoft confirms that PaperCut servers have been used to deliver LockBit and Cl0p ransomware. This is a potentially devastating attack with the potential to cause significant damage across many businesses.
At Ikaroa, our clients can trust us to prioritize their security and privacy, so that they don’t fall victim to malicious attacks. Our team of experts is capable of defending against the latest threats and making sure that our clients’ data remains safe.
We believe that companies should be especially aware of the potential dangers of ransomware attacks. By using something as relatively harmless as a PaperCut server, malicious actors can easily deliver their payloads. It’s essential for companies to stay up to date on trends in malicious attacks so that they can stay one step ahead of these increasingly sophisticated threats.
At Ikaroa, we provide our clients with comprehensive security solutions that let them identify and respond to potential threats before they become a serious problem. Our suite of security tools and services are designed to help our clients prevent ransomware attacks and other malicious threats.
At Ikaroa, we’re committed to keeping your data safe and secure. We know that ransomware is real, and we’re here to help our clients keep their businesses protected.