Microsoft has confirmed that active exploitation of its PaperCut servers is associated with attacks designed to deliver the Cl0p and LockBit ransomware families.
The technology giant’s threat intelligence team says it tracks some of the intrusions under the name of financially motivated attackers. lace tempest (formerly DEV-0950) and overlaps with other hacking groups such as FIN11, TA505 and Evil Corp.
“In an observed attack, Lace Tempest ran multiple PowerShell commands to deliver the TrueBot DLL, connect to a C2 server to steal LSASS credentials, and inject the TrueBot payload into the conhost.exe service.” said Microsoft. Said in a series of tweets
The next stage of the attack involved deploying Cobalt Strike Beacon implants for reconnaissance, using WMI to move laterally across networks and exfiltrating targeted files via file-sharing service MegaSync.
Race Tempest, a Cl0p ransomware affiliate, is said to have previously taken advantage of initial access gained via the Fortra GoAnywhere MFT exploit and a Raspberry Robin infection (done by another actor dubbed DEV-0856).
Raspberry Robin, also known as the QNAP worm, is believed to be an access-as-a-service malware used as a delivery vehicle for next-stage payloads such as IcedID, Cl0p, and LockBit. It is known to incorporate various obfuscation, anti-debugging and anti-virtual machine techniques to evade detection.
Microsoft confirmed earlier assessments of the Melbourne-based print management software provider that threat actors incorporated the PaperCut flaws (2023-27350 and CVE-2023-27351) into their attack toolkit as early as April 13. I said yes.
Successful exploitation of two security vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code and gain unauthorized access to sensitive information.
Redmond added that another cluster of activity weaponizing the same flaws has also been detected, including one leading to LockBit ransomware infections.
FIN7 Exploits Veeam Vulnerability CVE-2023-27532
This development came about after a Russian cybercriminal group, monitored as FIN7, was linked to an attack that exploited unpatched Veeam backup software instances to distribute POWERTRASH.
Detected by WithSecure on March 28, 2023, this activity may contain an exploit for CVE-2023-27532. This is a high-severity flaw in Veeam Backup & Replication that allows an unauthenticated attacker to obtain and access encrypted credentials stored in the configuration database. to infrastructure hosts. It was patched last month.
“Threat actors used a series of commands and custom scripts to gather host and network information from compromised machines,” said the Finnish cybersecurity firm. “Additionally, a series of SQL commands were executed to steal information from the Veeam backup database.”
It also sets up an active foothold on the compromised host by retrieving stored credentials from backup servers, gathering system information, and running DICELOADER (aka Lizar or Tirion) every time the device boots. A custom PowerShell script for was also used in the attack.
The previously undocumented persistence script is codenamed POWERHOLD, and the DICELOADER malware uses another unique loader called DUBLOADER to decode and execute.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Save my seat!
Security researchers Neeraj Singh and Mohammad Kazem Hassan Nejad said, “At the time of this writing, the purpose of these attacks was not clear, as they were mitigated before being fully fleshed out.” He added that the findings show the group’s evolving business and modus operandi.
POWERHOLD and DUBLOADER aren’t the only new malware FIN7 has added to its attack vector. IBM Security X-Force recently revealed a loader and backdoor called Domino. This is designed to facilitate subsequent exploitation.
Mirai botnet exploits TP-Link Archer WiFi router bug
In a related development, the Zero Day Initiative (ZDI) revealed that the creators of the Mirai botnet updated their malware to include CVE-2023-1389. CVE-2023-1389 is a critical flaw in TP-Link Archer AX21 routers that could allow execution by an unauthenticated adversary. Arbitrary code of the affected installation.
This issue (CVE-2023-1389, CVSS score: 8.8) was demonstrated by Team Viettel researchers at the Pwn2Own hacking contest in Toronto in December 2022 and the vendor issued a fix in March 2023 I was urged to do so.
According to ZDI, the first signs of a live exploit appeared on April 11, 2023, when the attackers used this flaw to send HTTP requests to Mirai command and control (C2) servers to download payloads. and executed. Responsible for bringing devices into a botnet and launching DDoS attacks against game servers.
ZDI threat researcher Peter Girnus said: “Applying this patch is the only recommended action to address this vulnerability.”
