Crooks use PaperCut exploits to deliver Cl0p and LockBit ransomware

Microsoft revealed that recent attacks against PaperCut servers aimed at distributing Cl0p and LockBit ransomware.

Microsoft linked the recent attacks against PaperCut servers to a financially motivated threat actor tracked as Lace Tempest (formerly DEV-0950). The group is known to be an affiliate of the Clop ransomware RaaS affiliate, it has been linked to GoAnywhere attacks and Raspberry Robin infection. Since April 13, Lace Tempest added the PaperCut exploits to its arsenal.

Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505).— Microsoft Threat Intelligence (@MsftSecIntel) April 26, 2023In the attack observed by Microsoft, the group ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service.

Then Lace Tempest dropped a Cobalt Strike Beacon implant, gathered additional information on the target environment, and used WMI for lateral movement. The group used the file-sharing app MegaSync for data exfiltration.

Microsoft is also monitoring a separate cluster of attacks exploiting PaperCut flaws to deliver the Lockbit ransomware. The company warns that other financially motivated groups could adopt a similar infection chain.

Microsoft 365 Defender detects the exploitation, malware, & malicious activity in these Lace Tempest attacks. Customers can use the detailed published reports in Microsoft 365 Defender & Microsoft Defender Threat Intelligence to investigate further & remediate affected assets.— Microsoft Threat Intelligence (@MsftSecIntel) April 26, 2023About the author: Vilius Petkauskas, Senior Journalist at CyberNews

Blogger Awards 2022 – VOTE FOR YOUR WINNERSVote for me in the sections:

The Teacher – Most Educational Blog

The Entertainer – Most Entertaining Blog

The Tech Whizz – Best Technical Blog

Best Social Media Account to Follow (@securityaffairs)
Please nominate Security Affairs as your favorite blog.

Nominate here:

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PaperCut)

The post Crooks use PaperCut exploits to deliver Cl0p and LockBit ransomware appeared first on Security Affairs.