Ransomware Hackers Exploit PaperCut BugsClop and LockBit Spotted Exploiting Unpatched Print Management Software
An affiliate of the Russian-speaking Clop ransomware-as-a-service gang and the LockBit cybercrime group are each actively exploiting vulnerabilities in popular print management software.
The computing giant said a Clop-affiliated hacking group it identifies as Lace Tempest - also known as FIN11- is behind a spate of attacks exploiting two recently patched vulnerabilities in software made by Australian firm PaperCut.
PaperCut began urging customers to update their software earlier this month after receiving customer reports of suspicious activity exploiting bugs that had been patched in March.
The company said the earliest indicator of hackers using a remote code execution flaw on the PaperCut Application Server, tracked as CVE-2023–27350, occurred on April 14. Microsoft said it appears Lace Tempest incorporated the PaperCut exploit into attacks as early as April 13.
Cybersecurity firm Trend Micro added urgency to patching exhortations after it said it had spotted attacks in the wild. In a Thursday update, TrendMicro said it had spotted hackers using the flaw to deploy LockBit ransomware.
The Redmond giant said Lace Tempest deploys Truebot, a malware downloader that's a known precursor to Clop ransomware.
Ransomware gangs aren't the only hackers jumping on the PaperCut flaw. Huntress said it found a hacker attempting to deploy a Monero crypto miner.
The remote code execution flaw propelling the attacks wasn't the only bug PaperCut patched in March. It also fixed CVE-2023-27351, a flaw the company said allows "under certain circumstances" an unauthenticated attacker to pull information about a user stored within PaperCut software including usernames, full names, email addresses and hashed passwords for PaperCut-created users - but not password hashes synced from sources such as Active Directory. PaperCut said there is no evidence of this vulnerability being exploited.