Researchers have linked leading ransomware groups Cl0p and LockBit to the ongoing exploitation of critical-rated vulnerabilities in print management software from PaperCut.
The vulnerabilities, CVE-2023-27350 and CVE-2023-27351, have a near maximum 9.8 severity score and have enabled remote code execution on vulnerable PaperCut servers since at least January 2023.
PaperCut was first alerted to the vulnerabilities by Trend Micro in January 2023 but alerts about active exploitation didn’t come until earlier this month.
In some instances, attackers used the flaws to spread Cl0p ransomware.
Microsoft Threat Intelligence tweeted that it has linked the attacks with Lace Tempest, a group it tracks also referred to as FIN11 or TA505.
Lace Tempest was observed using PowerShell commands to deliver TrueBot malware, which is used to check security protocols and deploy further malicious payloads.
State of ransomware readiness 2022
Reducing the personal and business cost
Microsoft also linked it to Cl0p’s GoAnywhere-related attacks, which may have affected more than 130 organizations and allowed for widespread enterprise extortion.
Like the PaperCut vulnerabilities, GoAnywhere’s flaw allowed Cl0p and other threat actors to execute arbitrary code on breached systems.
Microsoft Threat Intelligence moved to a new taxonomy for threat actors on April 18 using the nomenclature of weather events.
Nation states prominent for sponsoring threat actors have all been assigned their own weather events such as ‘Blizzard’ for Russia or ‘Sleet’ for North Korea. Threat groups under these banners are assigned unique prefixes so they are individually identifiable.
What are the PaperCut server attacks?
Cyber security firm Trend Micro notified PaperCut about two flaws present in PaperCut MF and NG version 22.0.5, and the firm released patches to prevent them from being exploited on customer servers.
The first, tracked as CVE-2023-27350 received a CVSS3 rating of 9.8 (critical). It can be used by threat actors to execute code remotely, opening up victims to unchecked malware attacks or data theft.
CVE-2023-27351 can be used to steal user data from servers including payment information, logins, and email addresses.
However, as late as mid-April some enterprises had not updated their printer servers and were still vulnerable.
It was at this stage that the firm announced it had evidence to suggest the vulnerabilities were being exploited in the wild.
“We’ve had reports of customers being late to patch, and as a result their servers have been exposed for a number of weeks,” said Chris Dance, CEO and founder at PaperCut wrote in a blog post.
CVE-2023-27350 has been added to CISA’s list of known exploited vulnerabilities, which requires federal agencies to apply PaperCut’s update by May 12.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Rory Bathgate is a staff writer at ITPro covering the latest news on artificial intelligence and business networks. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, after four years in student journalism. You can contact Rory at email@example.com or on LinkedIn.