Microsoft on Wednesday alleged that the recent attacks on the popular PaperCut servers are tied to the Clop and LockBit ransomware groups, which use critical and high severity vulnerabilities in PaperCut’s NG/MF print management products to steal sensitive corporate data.
SC Media reported April 26 that nearly 1,800 internet-exposed servers were compromised to facilitate the installation of Atera and Syncro remote management and maintenance software that was hosted in a domain that was previously used to host the TrueBot malware. TrueBot is alleged to have ties to the Russian threat operation Silence, which has been linked to Evil Corp and the TA505 threat cluster, based on an April 21 report from Huntress.
However, in a series of tweets on April 26, Microsoft attributed the recently reported attacks exploiting the two vulnerabilities in PaperCut’s print management software to the Clop group, which it tracks as Lace Tempest.
According to Microsoft, Lace Tempest runs as a Clop ransomware affiliate that has been observed using GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. The threat actor incorporated the PaperCut exploits into their attacks as early as April 13. In observed attacks, Microsoft said Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service.
A developing timeline of PaperCut exploit
The situation with the PaperCut print management software has been known for some time, as PaperCut released patches for the two vulnerabilities in early March. Then on April 19, PaperCut acknowledged that the two bugs were actively exploited in the wild and recommended that security teams upgrade their servers to the latest version. The vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9 and later.
But on April 24, Horizon3.ai posted a blog that detailed technical information and a proof-of-concept (PoC) exploit for the critical bug that attackers could use to bypass authentication and execute code on unpatched PaperCut servers.
The critical bug — CVE-2023-27350 — could allow for remote code execution, and the Zero Day Initiative gave the bug a critical rating of 9.8. For the high severity bug — CVE-2023-27351 — remote attackers could bypass authentication on affected installations of PaperCut products. The Zero Day Initiative gave it a high severity rating of 8.2.
While Microsoft’s attribution to Lace Tempest adds an interesting wrinkle, the more interesting piece of this puzzle is the timeline of exploitation of this issue by the threat actors, said Zach Hanley, chief attack engineer at Horizon3.ai. Hanley said PaperCut and the Zero Day Initiative published the vulnerability descriptions in mid-March. By mid-April the threat actors had developed a working exploit for the described issue and were conducting mass ransomware campaigns for all internet exposed servers — well before any public exploit was available.
“This may indicate the threat actors are actively monitoring sources of vulnerability threat intelligence like Zero Day Initiative’s ‘Upcoming Advisories,’ which list affected vendors before a patch becomes available and official CVE’s are created,” said Hanley. “The threat actors are seemingly investing in targeted vulnerability research when a vulnerability affects enough internet-facing devices to be the precursor to their ransomware campaigns. This continuous threat-intelligence loop will play an increasingly important role in organizations security models as threat actors become more efficient at it.”
Heath Renfrow, co-founder at Fenix24, added that Clop functions as a very active, organized ransomware-as-a-service (RaaS) operation with connections to other criminal gangs, and their affiliates have been making news a lot recently by exploiting unpatched vulnerabilities, such as the recent GoAnywhere attacks. Renfrow said they are also seeing a lot of Clop cases in their ransomware remediation practice, adding that Clop actors prefer extortion over strictly encryption-based attacks, and these PaperCut incidents are ripe for exploitation for Clop because of the data available for exfiltration.
“They find any vulnerability they can use as a wedge to steal data and extort the organization,” said Renfrow. “LockBit is also getting into the game on this vulnerability, though they are more focused on encryption for ransom.
Renfrow said the PaperCut case is a good example of securing any network-connected device and cannot be written off as a "lesser threat" to the enterprise; and that it's essential to watch threat feeds for critical vulnerabilities and patch quickly.
"Printers can store and save very mission-sensitive data — anything from M&A documents to HR documentation — and they also enable entry to the network in general, and that makes PaperCut vulnerabilities significant," he concluded.