Security News > 2023 > April > Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware
Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families.
The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest, which overlaps with other hacking groups like FIN11, TA505, and Evil Corp. "In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service," Microsoft said in a series of tweets.
Microsoft said the threat actor incorporated PaperCut flaws into its attack toolkit as early as April 13, corroborating the Melbourne-based print management software provider's earlier assessment.
The development comes as the Russian cybercrime group monitored as FIN7 has been linked to attacks exploiting unpatched Veeam backup software instances to distribute POWERTRASH, a staple PowerShell-based in-memory dropper that executes an embedded payload. The activity, detected by WithSecure on March 28, 2023, likely involved the abuse of CVE-2023-27532, a high-severity flaw in Veeam Backup & Replication that permits an unauthenticated attacker to obtain encrypted credentials stored in the configuration database and gain access to the infrastructure hosts.
The hitherto undocumented persistence script has been codenamed POWERHOLD, with the DICELOADER malware decoded and executed using another unique loader referred to as DUBLOADER. UPCOMING WEBINAR. Zero Trust + Deception: Learn How to Outsmart Attackers!
The first signs of in-the-wild exploitation, per ZDI, emerged on April 11, 2023, with the threat actors leveraging the flaw to make an HTTP request to the Mirai command-and-control servers to download and execute payloads responsible for co-opting the device into the botnet and launch DDoS attacks against game servers.
News URL
https://thehackernews.com/2023/04/microsoft-confirms-papercut-servers.html
Related news
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- Ransomware gang using stolen Microsoft Entra ID creds to bust into the cloud (source)
- Ransomware attackers hop from on-premises systems to cloud to compromise Microsoft 365 accounts (source)
- Police arrest four suspects linked to LockBit ransomware gang (source)
- LockBit Ransomware and Evil Corp Members Arrested and Sanctioned in Joint Global Effort (source)
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server (source)
- Microsoft says more ransomware stopped before reaching encryption (source)
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
- Crypt Ghouls Targets Russian Firms with LockBit 3.0 and Babuk Ransomware Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-10 | CVE-2023-27532 | Missing Authentication for Critical Function vulnerability in Veeam Backup & Replication 11.0.1.1261/12.0.0.1420 Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. | 7.5 |