Security News > 2023 > April > Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware
Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families.
The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest, which overlaps with other hacking groups like FIN11, TA505, and Evil Corp. "In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service," Microsoft said in a series of tweets.
Microsoft said the threat actor incorporated PaperCut flaws into its attack toolkit as early as April 13, corroborating the Melbourne-based print management software provider's earlier assessment.
The development comes as the Russian cybercrime group monitored as FIN7 has been linked to attacks exploiting unpatched Veeam backup software instances to distribute POWERTRASH, a staple PowerShell-based in-memory dropper that executes an embedded payload. The activity, detected by WithSecure on March 28, 2023, likely involved the abuse of CVE-2023-27532, a high-severity flaw in Veeam Backup & Replication that permits an unauthenticated attacker to obtain encrypted credentials stored in the configuration database and gain access to the infrastructure hosts.
The hitherto undocumented persistence script has been codenamed POWERHOLD, with the DICELOADER malware decoded and executed using another unique loader referred to as DUBLOADER. UPCOMING WEBINAR. Zero Trust + Deception: Learn How to Outsmart Attackers!
The first signs of in-the-wild exploitation, per ZDI, emerged on April 11, 2023, with the threat actors leveraging the flaw to make an HTTP request to the Mirai command-and-control servers to download and execute payloads responsible for co-opting the device into the botnet and launch DDoS attacks against game servers.
News URL
https://thehackernews.com/2023/04/microsoft-confirms-papercut-servers.html
Related news
- BlackCat ransomware turns off servers amid claim they stole $22 million ransom (source)
- LockBit ransomware affiliate gets four years in jail, to pay $860k (source)
- LockBit Ransomware Hacker Ordered to Pay $860,000 After Guilty Plea in Canada (source)
- LockBit ransomware kingpin gets 4 years behind bars (source)
- Microsoft confirms Windows Server issue behind domain controller crashes (source)
- Microsoft releases emergency fix for Windows Server crashes (source)
- Microsoft confirms memory leak in March Windows Server security update (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online (source)
- These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-10 | CVE-2023-27532 | Missing Authentication for Critical Function vulnerability in Veeam Backup & Replication 11.0.1.1261/12.0.0.1420 Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. | 7.5 |