Security News > 2023 > April > Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware

Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware
2023-04-27 08:20

Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families.

The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest, which overlaps with other hacking groups like FIN11, TA505, and Evil Corp. "In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service," Microsoft said in a series of tweets.

Microsoft said the threat actor incorporated PaperCut flaws into its attack toolkit as early as April 13, corroborating the Melbourne-based print management software provider's earlier assessment.

The development comes as the Russian cybercrime group monitored as FIN7 has been linked to attacks exploiting unpatched Veeam backup software instances to distribute POWERTRASH, a staple PowerShell-based in-memory dropper that executes an embedded payload. The activity, detected by WithSecure on March 28, 2023, likely involved the abuse of CVE-2023-27532, a high-severity flaw in Veeam Backup & Replication that permits an unauthenticated attacker to obtain encrypted credentials stored in the configuration database and gain access to the infrastructure hosts.

The hitherto undocumented persistence script has been codenamed POWERHOLD, with the DICELOADER malware decoded and executed using another unique loader referred to as DUBLOADER. UPCOMING WEBINAR. Zero Trust + Deception: Learn How to Outsmart Attackers!

The first signs of in-the-wild exploitation, per ZDI, emerged on April 11, 2023, with the threat actors leveraging the flaw to make an HTTP request to the Mirai command-and-control servers to download and execute payloads responsible for co-opting the device into the botnet and launch DDoS attacks against game servers.


News URL

https://thehackernews.com/2023/04/microsoft-confirms-papercut-servers.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-03-10 CVE-2023-27532 Missing Authentication for Critical Function vulnerability in Veeam Backup & Replication 11.0.1.1261/12.0.0.1420
Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained.
network
low complexity
veeam CWE-306
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400
Papercut 3 0 5 4 4 13