Microsoft claims recent PaperCut server exploits were designed to deploy Cl0p ransomware and carried out by the same threat actors behind Fortra’s GoAnywhere exploits.
The US software giant traced exploits of vulnerabilities in print management software provider PaperCut’s servers to Lace Tempest, a threat actor affiliated with Cl0p ransomware.
“The threat actor incorporated the PaperCut exploits into their attacks as early as April 13,” the Microsoft Threat Intelligence team said on Twitter.
The same threat actor has also been observed employing Fortra’s GoAnywhere exploit, a zero-day bug that led to a cascade of ransomware attacks by the Cl0p syndicate in March 2023.
Last week, PaperCut notified users of two bugs exploited in the wild. CVE-2023-27351, a critical remote code execution flaw, and CVE-2023-27350, a high-severity information disclosure bug.
Microsoft’s researchers said that Lace Tempest ran multiple PowerShell commands to deliver TrueBot malware to victim devices, allowing further threat actor movement within the affected system.
“We’re monitoring other attacks also exploiting these vulnerabilities, including intrusions leading to LockBit deployment. More threat actors could follow suit,” researchers said.
Since the PaperCut exploits are very fresh, many of the affected organizations might not be aware that ransomware syndicates are snooping within their IT environments.
Cl0p ransomware has been around since 2019. The gang has also been at the forefront of the ransomware world, with estimated payouts reaching $500 million in November 2021.
Even though the gang stopped operations following the arrest of its several affiliates in late 2021, in March 2023, the syndicate returned with a bang.
According to researchers at security firm Cyberint, Cl0p victimized over 100 organizations in the first quarter of 2023, making it the second most prolific ransomware cartel after LockBit.
More from Cybernews:
Subscribe to our newsletter