Microsoft links PaperCut server attacks to Cl0p, LockBit ransomware

Researchers have linked leading ransomware groups Cl0p and LockBit to the ongoing exploitation of critical-rated vulnerabilities in print management software from PaperCut.

The vulnerabilities, CVE-2023-27350 and CVE-2023-27351, have a near maximum 9.8 severity score and have enabled remote code execution on vulnerable PaperCut servers since at least January 2023.

PaperCut was first alerted to the vulnerabilities by Trend Micro in January 2023 but alerts about active exploitation didn’t come until earlier this month.

In some instances, attackers used the flaws to spread Cl0p ransomware.

Microsoft Threat Intelligence tweeted that it has linked the attacks with Lace Tempest, a group it tracks also referred to as FIN11 or TA505.

The group has previously been linked with major cyber attacks such as the hacking of Accellion’s FTA in 2021, a campaign that affected major organizations such as Morgan Stanley.

Lace Tempest was observed using PowerShell commands to deliver TrueBot malware, which is used to check security protocols and deploy further malicious payloads.

It has also been tracked using the Raspberry Robin worm to load other malware including LockBit's ransomware payload. 

Microsoft also linked it to Cl0p’s GoAnywhere-related attacks, which may have affected more than 130 organizations and allowed for widespread enterprise extortion.

Like the PaperCut vulnerabilities, GoAnywhere’s flaw allowed Cl0p and other threat actors to  execute arbitrary code on breached systems.

Organizations such as the Pension Protection Fund and Rubrik were hit by data breaches as a result of the flaw.

Microsoft Threat Intelligence moved to a new taxonomy for threat actors on April 18 using the nomenclature of weather events.

Nation states prominent for sponsoring threat actors have all been assigned their own weather events such as ‘Blizzard’ for Russia or ‘Sleet’ for North Korea. Threat groups under these banners are assigned unique prefixes so they are individually identifiable.

What are the PaperCut server attacks?

Cyber security firm Trend Micro notified PaperCut about two flaws present in PaperCut MF and NG version 22.0.5, and the firm released patches to prevent them from being exploited on customer servers.

The first, tracked as CVE-2023-27350 received a CVSS3 rating of 9.8 (critical). It can be used by threat actors to execute code remotely, opening up victims to unchecked malware attacks or data theft.

CVE-2023-27351 can be used to steal user data from servers including payment information, logins, and email addresses.

However, as late as mid-April some enterprises had not updated their printer servers and were still vulnerable.

It was at this stage that the firm announced it had evidence to suggest the vulnerabilities were being exploited in the wild.

“We’ve had reports of customers being late to patch, and as a result their servers have been exposed for a number of weeks,” said Chris Dance, CEO and founder at PaperCut wrote in a blog post.

CVE-2023-27350 has been added to CISA’s list of known exploited vulnerabilities, which requires federal agencies to apply PaperCut’s update by May 12.