Microsoft has claimed that latest attacks exploiting two vulnerabilities in the PaperCut print administration program are most likely the result of a Clop ransomware affiliate.
The two bugs in problem are CVE-2023–27350 – a critical unauthenticated distant code execution flaw – and CVE-2023–27351 – a superior severity unauthenticated details disclosure flaw. The previous has a CVSS score of 9.8.
After currently being notified by Development Micro, PaperCut alerted consumers last 7 days that the vulnerabilities were being staying exploited in the wild and urged consumers to update their servers right away.
Microsoft Threat Intelligence yesterday attributed current attacks exploiting the bugs to “Lace Tempest,” a threat actor it claims overlaps with FIN11 and TA505. FIN11 is connected to the infamous Clop ransomware gang and the Accellion FTA extortion marketing campaign, although TA505 is reportedly guiding the Dridex banking Trojan and Locky ransomware.
Read far more on Clop ransomware: Raspberry Robin Worm Actors Joined to Clop, LockBit Ransomware Groups.
Also recognized as DEV-0950, Lace Tempest is a Clop ransomware affiliate that has earlier been detected working with GoAnywhere exploits and Raspberry Robin malware in ransomware strategies. Microsoft mentioned the menace team exploited the PaperCut bugs in assaults as early as April 13.
“In observed attacks, Lace Tempest ran various PowerShell instructions to produce a TrueBot DLL, which linked to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe company,” Microsoft added in a tweet.
“Next, Lace Tempest delivered a Cobalt Strike Beacon implant, executed reconnaissance on related systems, and moved laterally working with WMI. The actor then discovered and exfiltrated data files of desire working with the file-sharing app MegaSync.”
Microsoft additional that other groups may perhaps also be exploiting the two PaperCut vulnerabilities in the wild, noting that some intrusions had led to deployment of the prolific LockBit ransomware.
Some parts of this article are sourced from:
www.infosecurity-journal.com