Search This Blog

Powered by Blogger.

Blog Archive

Labels

Ransomware Clop and LockBit Attacked PaperCut Servers

Clop ransomware affiliates exploited CVE-2023-27350 and CVE-2023-27351, according to Microsoft.

 


A Microsoft spokesperson stated in a statement that recent attacks that exploited two vulnerabilities in the PaperCut print management software are likely associated with an affiliate program for the Clop ransomware. 

PaperCut Application Server was updated last month with two vulnerabilities that could allow remote attackers to execute unauthenticated code and access information.

CVE-2023–27350 / ZDI-CAN-18987 / PO-1216: This vulnerability affects all PaperCut MF/NG versions 8.0 or later on all OS platforms, as well as the application server. It impacts both the application server and the site server. 

CVE-2023–27351 / ZDI-CAN-19226 / PO-1219: A vulnerability in PaperCut MF or NG versions 15.0 or later is present on each application server platform, causing unauthenticated information disclosure.

It was notified last week that a vulnerability had been exploited in the wild by Trend Micro, and PaperCut sent an alert out to users. Customer servers must be updated as soon as possible to ensure security.

“Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505),” a tweet by Microsoft Threat Intelligence reads.  

Last week, Microsoft Threat Intelligence identified “Lace Tempest” as one of the threat actors exploiting these bugs, according to a report about BR11 and TA505. 

FIN11, an organization involved in the acceleration of the Accellion FTA extortion campaign, is linked to the infamous Clop ransomware gang. Dridex is reportedly another example of malware linked to TA505 and responsible for Locky. 

Fortra's file-sharing software GoAnywhere has been exploited before by crypto-ransomware campaigns associated with the Clop ransomware affiliate. The affiliate also utilized the Raspberry Robin worm widely distributed in the cybersecurity community post-compromise to perform post-compromise activities.

PaperCut NG and PaperCut MF have flaws that affect both solutions. A remote code execution attack can be conducted on a PaperCut Application server using CVE-2023-27350 by an unauthenticated attacker, while a remote code execution attack on PaperCut MF or NG might also allow an unauthenticated attacker to steal information about users stored in PaperCut MF or NG, such as their names, full names, e-mail addresses, department information, and credit card numbers.

In addition to accessing hashed passwords retrieved from internal PaperCut accounts, attackers exploiting this vulnerability can also retrieve passwords retrieved from external directory sources, such as Microsoft 365 and Google Workspace (although they are not able to access password hashes retrieved from external directory sources such as Microsoft 365 and Google Workspace). 

There have previously been reports indicating that Lace Tempest, also known as DEV-0950, is a Clop affiliate. Lace Tempest has been detected using GoAnywhere exploits and Raspberry Robin malware as part of ransomware campaigns. PaperCut has been targeted since April 13 due to software vulnerabilities. 

Clop has Targeted This Target

It appears that the exploitation of PaperCut servers fits the overall pattern we have seen over the last three years about the Clop ransomware gang. 

Although the Clop operation continues to encrypt files and send them to victims in attacks, BleepingComputer has reported that the operation prefers to steal data from victims. This is so that it can be used to extort them for ransom. 

In 2020, Clop, a Chinese threat actor, exploited one of Accellion's zero-day vulnerabilities, the Accellion FTA, from which he stole data from approximately 100 companies as part of this new shift in tactics.

A zero-day vulnerability in the GoAnywhere MFT secure file-sharing platform has recently been exploited by the Clop gang to steal data from 130 companies due to zero-day vulnerabilities.
Share it:

Cyberattaccks

Cyberattacks

Cybersecurity

LockBit ransomware

Ransomware

Vulnerabilities and Exploits