Microsoft has linked recent PaperCut server attacks to Clop and Lockbit ransomware gangs.

Last week, PaperCut warned that threat actors are exploiting two recently fixed vulnerabilities (CVE-2023–27350 and CVE-2023–27351) in print management software PaperCut in attacks targeting unpatched servers.

The first flaw is an improper access issue within the SetupCompleted class that allows to bypass authentication process and execute arbitrary code with SYSTEM privileges. The second bug resides in the SecurityRequestFilter class and can be used by a remote hacker to bypass authentication process and gain unauthorized access to the application.

Both vulnerabilities were addressed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later.

According to Microsoft, CVE-2023-27350 and CVE-2023-27351 have been used by a threat actor it tracks as Lace Tempest (overlaps with FIN11 and TA505) in attacks delivering Clop ransomware.

“Lace Tempest (DEV-0950) is a Clop ransomware affiliate that has been observed using GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. The threat actor incorporated the PaperCut exploits into their attacks as early as April 13,” the company said in a series of tweets.

Once gaining initial access the threat actor deployed a TrueBot payload and a Cobalt Strike Beacon implant, conducted reconnaissance on connected systems, and exfiltrated files of interest using the file-sharing app MegaSync.

Microsoft says it has also detected intrusions leading to the Lockbit deployment. The company recommends organizations to update their systems as soon as possible to reduce the risk of attacks.