Microsoft Blames Clop Affiliate for PaperCut Attacks

Microsoft has claimed that recent attacks exploiting two vulnerabilities in the PaperCut print management software are likely the result of a Clop ransomware affiliate.

The two bugs in question are CVE-2023–27350 – a critical unauthenticated remote code execution flaw – and CVE-2023–27351 – a high severity unauthenticated information disclosure flaw. The former has a CVSS score of 9.8.

After being notified by Trend Micro, PaperCut alerted users last week that the vulnerabilities were being exploited in the wild and urged customers to update their servers immediately.

Microsoft Threat Intelligence yesterday attributed recent attacks exploiting the bugs to “Lace Tempest,” a threat actor it says overlaps with FIN11 and TA505. FIN11 is linked to the infamous Clop ransomware gang and the Accellion FTA extortion campaign, while TA505 is reportedly behind the Dridex banking Trojan and Locky ransomware.

Read more on Clop ransomware: Raspberry Robin Worm Actors Linked to Clop, LockBit Ransomware Groups.

Also known as DEV-0950, Lace Tempest is a Clop ransomware affiliate that has previously been detected using GoAnywhere exploits and Raspberry Robin malware in ransomware campaigns. Microsoft said the threat group exploited the PaperCut bugs in attacks as early as April 13.

“In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service,” Microsoft added in a tweet.

“Next, Lace Tempest delivered a Cobalt Strike Beacon implant, conducted reconnaissance on connected systems, and moved laterally using WMI. The actor then identified and exfiltrated files of interest using the file-sharing app MegaSync.”

Microsoft added that other groups may also be exploiting the two PaperCut vulnerabilities in the wild, noting that some intrusions had led to deployment of the prolific LockBit ransomware.