Microsoft has linked recent attacks on PaperCut servers to ransomware operations by Clop and LockBit, which used vulnerabilities to steal corporate data.
In March 2023, print management solutions provider PaperCut fixed vulnerabilities CVE-2023-27350 (9.8 out of 10 on the CVSS scale, equalling the recently-discovered MSMQ vulnerability) and CVE-2023-27351 (8.2 out of 10). on the CVSS scale).
They allowed to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges, as well as extract usernames, full names, email addresses, and other sensitive data. It was emphasized that such attacks do not require user interaction.
In mid-April, it became known that hackers were already exploiting vulnerabilities, and a PoC exploit for the most dangerous of them appeared in the public domain.
Clop and LockBit ransomware is behind these attacks on PaperCut servers, Microsoft analysts now report, using bugs to steal corporate data from vulnerable servers.
According to the researchers, hackers have been using vulnerabilities in PaperCut since April 13, 2023, and with their help they gain access to corporate networks. After gaining access to the server, the attackers deploy the TrueBot malware in the system, which is associated with Clop extortionate operations, as well as the Cobalt Strike “beacon”, which is used to traverse the victim’s network sideways and steal data using the MegaSync file-sharing application.
Microsoft says some of the incidents ended with LockBit ransomware attacks, but it’s not clear if these attacks started before or after the exploits were published.
By the way, the media wrote that Canadian Polices Arrests Russian Man Involved in LockBit Ransomware Attacks.
Experts urge all administrators to install the available patches as soon as possible, since other attackers are likely to soon take on fresh bugs as well. For example, PaperCut MF and NG are strongly recommended to upgrade to versions 20.1.7, 21.2.11 and 22.0.9.