Microsoft claims that recent attacks exploiting two vulnerabilities in its PaperCut print management software are likely the result of Clop ransomware affiliates.
The two bugs in question are CVE-2023–27350 (Critical Unauthenticated Remote Code Execution Flaw) and CVE-2023–27351 (High Severity Unauthenticated Information Disclosure Flaw). For the former, his CVSS score is 9.8.
After being notified by Trend Micro, PaperCut warned users last week that the vulnerability was being exploited in the wild and urged customers to update their servers immediately.
Microsoft Threat Intelligence yesterday identified a recent attack exploiting this bug as being by “Lace Tempest”, a threat actor that overlaps with FIN11 and TA505. FIN11 is associated with the infamous Clop ransomware his gang and the Accellion FTA extortion campaign, and TA505 is reportedly behind his Dridex banking Trojan and Locky ransomware.
Clop ransomware details: Clop, a Raspberry Robin worm actor linked to the LockBit ransomware group.
Race Tempest, also known as DEV-0950, is a Clop ransomware affiliate previously detected using GoAnywhere exploits and Raspberry Robin malware in ransomware campaigns. According to Microsoft, the threat group had exploited a bug in PaperCut in his attacks as of April 13th.
“In an observed attack, Lace Tempest ran multiple PowerShell commands to deliver the TrueBot DLL, connect to a C2 server to steal LSASS credentials, and inject the TrueBot payload into the conhost.exe service.” said Microsoft. Added to the tweet.
“Race Tempest then delivered a Cobalt Strike Beacon implant to conduct reconnaissance on connected systems and used WMI to move laterally. The attackers then used the file-sharing app MegaSync to We have identified and extracted the files of interest.”
Microsoft added that other groups may actually be exploiting the two PaperCut vulnerabilities, noting that several intrusions have led to the prolific LockBit ransomware deployment.
