Microsoft’s Threat Intelligence team has attributed the recent attacks on Papercut servers to the Clop and Lockbit ransomware gangs. The attacks were carried out by exploiting two different vulnerabilities that allowed attackers to run arbitrary code and extract information.
Papercut had already warned users on April 19 that the flaws were actively being exploited in the wild and issued a patch, urging users to update their servers to the latest version. To make matters worse, a proof of concept exploit was released shortly after that allowed additional threat actors to join in the attacks.
The vulnerabilities in question are as follows.
- CVE-2023–27350 (CVSS score 9.8): Remote code execution flaw affecting Papercut MF or NG versions 8.0 or later on all OS platforms including application and site servers.
- CVE-2023–27351 (CVSS score 8.2): Unauthenticated information disclosure flaw affecting Papercut MF or NG versions 15.0 or later on all OS platforms including application and site servers.
According to Microsoft, this particular threat actor has been exploiting Papercut tracked as “Lace Tempest” incorporating the Papercut exploits in their attacks as early as April 13. Lace Tempest ran multiple Powershell commands to deliver a Truebot DLL which was connected to a command and control (C2) server to steal LSASS credentials while also injecting the Truebot payload into the conhost.exe service.
The threat actor also deployed a Cobalt Strike beacon implant, did recon on connected systems and moved laterally using WMI before finally identifying and extracting “files of interest” using the Megasync file-sharing app.
Lace Tempest is a Clop ransomware affiliate that has been observed in the past using GoAnywhere exploits and Raspberry Robin infection hand-offs. Microsoft also claims that some intrusions might have led to Lockbit ransomware gange attacks, but it’s unclear whether these attacks began before or after the PoC exploits were publicly released.
In the News: Digitization of land records gains momentum in India