Microsoft has said its research found the Clop and LockBit ransomware operators are behind the latest data breach incidents related to the PaperCut MF/NG vulnerabilities.
The Redmond giant recently published a Twitter thread in which it points the finger toward these two groups.
“Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505),” one of the tweets reads.
Deploying Cobalt Strike
The company also said that “Lace Tempest’s” activity overlaps with FIN11 and TA505, both of whom are linked to the Clop ransomware operation. Furthermore, the threat actors used the access gained to deliver TrueBot malware, which has also been previously linked to Clop.
Finally, Lace Tempest was seen delivering a Cobalt Strike beacon, scouting for connected endpoints, and moving laterally using WMI. Any valuable data they could find - they would exfiltrate using the file-sharing app MegaSync, Microsoft added.
In March 2023, news broke that PaperCut’s developers fixed two flaws in the PaperCut Application Server which allowed for remote code execution to be done by unauthenticated actors.
The two flaws have since been tracked as CVE-2023–27350 / ZDI-CAN-18987 / PO-1216 (unauthenticated remote code execution flaw with a 9.8 severity score, affecting all PaperCut MF or NG versions from 8.0 onward on all operating systems) and CVE-2023–27351 / ZDI-CAN-19226 / PO-1219 (unauthenticated information disclosure flaw with an 8.2 severity score, affecting all PaperCut MF or NG versions 15.0 and newer on all OS’ for application servers).
Earlier this week, it was said that the flaws were most likely a lot more dangerous than initially thought, as two proofs-of-concept (PoC) were released.
PaperCut is a print management software solution used by hundreds of enterprises and public sector companies around the world.
- Here are the best firewalls right now