A Cl0p ransomware operator affiliated with the FIN11 and TA505 threat actors has been exploiting recently patched PaperCut vulnerabilities since April 13, Microsoft says.
Impacting the PaperCut MF/NG print management system and tracked as CVE-2023-27350 (CVSS score of 9.8), the issue can be exploited to bypass authentication and achieve remote code execution (RCE) with System privileges.
PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 that were released in March 2023 address the critical-severity flaw along with CVE-2023–27351, a high-severity bug leading to information exposure.
Last week, PaperCut warned that CVE-2023-27350 has been exploited in malicious attacks, urging customers to update their installations as soon as possible.
Several days later, endpoint and response security firm Huntress said that it identified hundreds of vulnerable hosts with PaperCut installed and that it observed attackers exploiting the vulnerabilities to deploy remote management and maintenance (RMM) tools for persistent access.
While PaperCut has only mentioned CVE-2023-27350 being exploited in attacks, Huntress and Microsoft suggested that both vulnerabilities have been leveraged by hackers.
Huntress linked the attacks to TrueBot malware operator Silence, which is known to have ties with Russian hacking group TA505, which is known for distributing the Cl0p ransomware.
Now, Microsoft says that the Cl0p ransomware operator it tracks as Lace Tempest (also known as DEV-0950) – which is associated with both FIN11 and TA505 advanced persistent threat (APT) actors – has been exploiting the PaperCut vulnerabilities for the past two weeks.
“Lace Tempest (DEV-0950) is a Cl0p ransomware affiliate that has been observed using GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. The threat actor incorporated the PaperCut exploits into their attacks as early as April 13,” Microsoft says.
Microsoft also says that the threat actor executed PowerShell commands to drop TrueBot on vulnerable systems, confirming Huntress’ observations. The malware was observed attempting to steal Local Security Authority Subsystem Service (LSASS) credentials.
“Next, Lace Tempest delivered a Cobalt Strike Beacon implant, conducted reconnaissance on connected systems, and moved laterally using WMI. The actor then identified and exfiltrated files of interest using the file-sharing app MegaSync,” Microsoft notes.
According to Huntress, more threat actors are now exploiting the PaperCut vulnerabilities, including in attacks deploying cryptocurrency miners on compromised systems.
Related: GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks
Related: Russia-Linked TA505 Back at Targeting Financial Institutions
Related: FIN11 Spun Out From TA505 Umbrella as Distinct Attack Group
