Researchers have linked leading ransomware groups Cl0p and LockBit to the ongoing exploitation of critical-rated vulnerabilities in print management software from PaperCut.
The vulnerabilities, CVE-2023-27350 and CVE-2023-27351, have a near maximum 9.8 severity score and have enabled remote code execution on vulnerable PaperCut servers since at least January 2023.
PaperCut was first alerted to the vulnerabilities by Trend Micro in January 2023 but alerts about active exploitation didn’t come until earlier this month.
In some instances, attackers used the flaws to spread Cl0p ransomware.
Microsoft Threat Intelligence tweeted that it has linked the attacks with Lace Tempest, a group it tracks also referred to as FIN11 or TA505.
The group has previously been linked with major cyber attacks such as the hacking of Accellion’s FTA in 2021, a campaign that affected major organizations such as Morgan Stanley.
Lace Tempest was observed using PowerShell commands to deliver TrueBot malware, which is used to check security protocols and deploy further malicious payloads.
It has also been tracked using the Raspberry Robin worm to load other malware including LockBit's ransomware payload.
RELATED RESOURCE
Microsoft also linked it to Cl0p’s GoAnywhere-related attacks, which may have affected more than 130 organizations and allowed for widespread enterprise extortion.
Like the PaperCut vulnerabilities, GoAnywhere’s flaw allowed Cl0p and other threat actors to execute arbitrary code on breached systems.
Organizations such as the Pension Protection Fund and Rubrik were hit by data breaches as a result of the flaw.
Microsoft Threat Intelligence moved to a new taxonomy for threat actors on April 18 using the nomenclature of weather events.
Nation states prominent for sponsoring threat actors have all been assigned their own weather events such as ‘Blizzard’ for Russia or ‘Sleet’ for North Korea. Threat groups under these banners are assigned unique prefixes so they are individually identifiable.
What are the PaperCut server attacks?
Cyber security firm Trend Micro notified PaperCut about two flaws present in PaperCut MF and NG version 22.0.5, and the firm released patches to prevent them from being exploited on customer servers.
The first, tracked as CVE-2023-27350 received a CVSS3 rating of 9.8 (critical). It can be used by threat actors to execute code remotely, opening up victims to unchecked malware attacks or data theft.
CVE-2023-27351 can be used to steal user data from servers including payment information, logins, and email addresses.
However, as late as mid-April some enterprises had not updated their printer servers and were still vulnerable.
It was at this stage that the firm announced it had evidence to suggest the vulnerabilities were being exploited in the wild.
“We’ve had reports of customers being late to patch, and as a result their servers have been exposed for a number of weeks,” said Chris Dance, CEO and founder at PaperCut wrote in a blog post.
CVE-2023-27350 has been added to CISA’s list of known exploited vulnerabilities, which requires federal agencies to apply PaperCut’s update by May 12.
-
Gender diversity improvements could be the key to tackling the UK's AI skills shortageNews Encouraging more women to pursue tech careers could plug huge gaps in the AI workforce
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
