Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Microsoft: Cl0p Ransomware Exploited PaperCut Vulnerabilities Since April 13

Microsoft says Cl0p ransomware operator has been exploiting a recently patched PaperCut vulnerability since April 13.

ABB ransomware

A Cl0p ransomware operator affiliated with the FIN11 and TA505 threat actors has been exploiting recently patched PaperCut vulnerabilities since April 13, Microsoft says.

Impacting the PaperCut MF/NG print management system and tracked as CVE-2023-27350 (CVSS score of 9.8), the issue can be exploited to bypass authentication and achieve remote code execution (RCE) with System privileges.

PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 that were released in March 2023 address the critical-severity flaw along with CVE-2023–27351, a high-severity bug leading to information exposure.

Last week, PaperCut warned that CVE-2023-27350 has been exploited in malicious attacks, urging customers to update their installations as soon as possible.

Several days later, endpoint and response security firm Huntress said that it identified hundreds of vulnerable hosts with PaperCut installed and that it observed attackers exploiting the vulnerabilities to deploy remote management and maintenance (RMM) tools for persistent access.

While PaperCut has only mentioned CVE-2023-27350 being exploited in attacks, Huntress and Microsoft suggested that both vulnerabilities have been leveraged by hackers.

Huntress linked the attacks to TrueBot malware operator Silence, which is known to have ties with Russian hacking group TA505, which is known for distributing the Cl0p ransomware.

Advertisement. Scroll to continue reading.

Now, Microsoft says that the Cl0p ransomware operator it tracks as Lace Tempest (also known as DEV-0950) – which is associated with both FIN11 and TA505 advanced persistent threat (APT) actors – has been exploiting the PaperCut vulnerabilities for the past two weeks.

“Lace Tempest (DEV-0950) is a Cl0p ransomware affiliate that has been observed using GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. The threat actor incorporated the PaperCut exploits into their attacks as early as April 13,” Microsoft says.

Microsoft also says that the threat actor executed PowerShell commands to drop TrueBot on vulnerable systems, confirming Huntress’ observations. The malware was observed attempting to steal Local Security Authority Subsystem Service (LSASS) credentials.

“Next, Lace Tempest delivered a Cobalt Strike Beacon implant, conducted reconnaissance on connected systems, and moved laterally using WMI. The actor then identified and exfiltrated files of interest using the file-sharing app MegaSync,” Microsoft notes.

According to Huntress, more threat actors are now exploiting the PaperCut vulnerabilities, including in attacks deploying cryptocurrency miners on compromised systems.

Related: GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks

Related: Russia-Linked TA505 Back at Targeting Financial Institutions

Related: FIN11 Spun Out From TA505 Umbrella as Distinct Attack Group

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.