Threat actors are launching a wave of attacks that exploit PaperCut vulnerabilities in order to deploy Clop and LockBit ransomware.
PaperCut, print management software that is utilized by over 100 million users at 89,000 companies globally, in March issued patches for a critical-severity flaw (CVE-2023-27350) and high-severity flaw (CVE-2023-27351). On April 18, the company first became aware of unpatched servers being exploited in the wild. On Wednesday, Microsoft attributed some of the activity to a Clop affiliate, which it tracks as DEV-0950 (also labeled as Lace Tempest) and said the group incorporated PaperCut exploits in their attacks as early as April 13.
“In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service,” according to Microsoft’s threat intelligence team on Wednesday. “Next, Lace Tempest delivered a Cobalt Strike Beacon implant, conducted reconnaissance on connected systems, and moved laterally using WMI. The actor then identified and exfiltrated files of interest using the file-sharing app MegaSync.”
The Clop ransomware affiliate has previously been observed launching campaigns that exploit flaws in Fortra’s file-sharing software GoAnywhere. Other attacks showed the affiliate using the widely distributed Raspberry Robin worm in post-compromise activity.
The flaws exist across PaperCut's two print management solutions, PaperCut NG and PaperCut MF. CVE-2023-27350 could enable unauthenticated attackers to launch remote code execution attacks on a PaperCut Application server, while CVE-2023-27351 could allow an unauthenticated attacker to steal information about a user stored within PaperCut MF or NG, including users’ names, full names, email addresses, office/department info and any card numbers associated with them. Attackers exploiting this flaw can also retrieve hashed passwords from internal PaperCut-created user accounts (though, notably, they can't access password hashes for users synchronized from external directory sources, like Microsoft 365 and Google Workspace).
Over the last week, several security researchers have closely tracked exploitation activity (and released proof-of-concept exploits) around the two flaws. Huntress researchers, for instance, expressed concern after finding a Truebot malware variant on a compromised victim’s system, due to its ties to an entity that has historical links with Clop.
“While the ultimate goal of the current activity leveraging PaperCut’s software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning,” said Huntress researchers in an analysis. “Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment.”
In a separate analysis, Trend Micro researchers (who were credited with first uncovering the vulnerabilities) observed attackers exploiting one of the flaws in order to run a PowerShell script, which ultimately deployed the LockBit ransomware.
“Our analysis indicates that the malicious payload enc.exe is the LockBit ransomware (detected by Trend Micro as Ransom.Win32.LOCKBIT.SMYXCJN), based on the binary found in the user Downloads folder that the malicious actor created,” said Trend Micro researchers on Thursday. “Considering the previous intrusions that the malicious actors behind LockBit have deployed, we will continue to observe this active threat as it targets more potential victims with possibly even more payloads.”
The flaws were fixed in PaperCut MF and NG versions 20.1.7, 21.2.11 and 22.0.9, and impacted PaperCut users are urged to apply patches immediately.
“We strongly recommend that customers upgrade Application Servers and Site Servers to version 22.0.9, or version 21.2.11 (if currently using version 21.x), or version 20.1.7 (if currently using version 20.x),” according to PaperCut's security advisory.