"Microsoft Blames Clop Affiliate for PaperCut Attacks"

Microsoft has recently claimed that recent attacks exploiting two vulnerabilities in the PaperCut print management software are likely the result of a Clop ransomware affiliate.  The two bugs in question are CVE-2023–27350, a critical unauthenticated remote code execution flaw, and CVE-2023–27351, a high severity unauthenticated information disclosure flaw.  The former has a CVSS score of 9.8.  Microsoft Threat Intelligence attributed recent attacks exploiting the bugs to “Lace Tempest,” a threat actor it says overlaps with FIN11 and TA505.  FIN11 is linked to the infamous Clop ransomware gang and the Accellion FTA extortion campaign, while TA505 is reportedly behind the Dridex banking Trojan and Locky ransomware.  Microsoft stated that also known as DEV-0950, Lace Tempest is a Clop ransomware affiliate that has previously been detected using GoAnywhere exploits and Raspberry Robin malware in ransomware campaigns.  Microsoft said the threat group exploited the PaperCut bugs in attacks as early as April 13.  Microsoft stated that in observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service.  Next, Lace Tempest delivered a Cobalt Strike Beacon implant, conducted reconnaissance on connected systems, and moved laterally using WMI.  The actor then identified and exfiltrated files of interest using the file-sharing app MegaSync.  Microsoft noted that other groups might also be exploiting the two PaperCut vulnerabilities in the wild, noting that some intrusions had led to the deployment of the prolific LockBit ransomware.

Infosecurity reports: "Microsoft Blames Clop Affiliate for PaperCut Attacks"