Microsoft attributed recent attacks on PaperCut servers to ransomware operations Clop and LockBit, which used the vulnerabilities to steal corporate data.

Last month, two vulnerabilities were patched in the PaperCut application server that allow remote attackers to execute unauthenticated remote code and leak information:

• CVE-2023–27350 / ZDI-CAN-18987 / PO-1216: Unauthenticated remote code execution flaw affecting all versions 8.0 or later of PaperCut MF or NG on all OS platforms, for application and site servers. (CVSS v3.1 rating: 9.8 – critical)
• CVE-2023–27351/ ZDI-CAN-19226 / PO-1219: Unauthenticated Information Disclosure flaw affecting all versions 15.0 or later of PaperCut MF or NG on all OS platforms for Application Servers. (CVSS v3.1 score: 8.2 – high)

On April 19, PaperCut revealed that these flaws have been actively exploited in the wildurging administrators to update their servers to the latest version.

A PoC exploit for RCE flaw released days later, allowing other threat actors to break into servers using these exploits.

Ransomware gangs behind the attacks

Today, Microsoft revealed that the Clop and LockBit ransomware gangs are behind these PaperCut attacks and are using them to steal corporate data from vulnerable servers.

PaperCut is print management software compatible with all major printer brands and platforms. It is used by major corporations, state organizations and educational institutes, with the company’s website claiming that it is used by hundreds of millions of people in over 100 countries.

In a series of tweets posted on Wednesday afternoon, Microsoft says it attributed the recent PaperCut attacks to the Clop ransomware gang.

“Microsoft attributes recently reported attacks exploiting CVE-2023-27350 and CVE-2023-27351 vulnerabilities in PaperCut print management software to deliver Clop ransomware to malicious actor tracked as Lace Tempest (overlap with FIN11 and TA505)” tweeted Microsoft Threat Intelligence Researchers.

Microsoft is tracking this particular threat actor as “Lace Tempest”, whose activity overlaps FIN11 and TA505, both of which are linked to the Clop ransomware operation.

Microsoft says the threat actor has been exploiting PaperCut vulnerabilities since April 13 for initial access to the company’s network.

Once they gained access to the server, they deployed the TrueBot malware, which was also previously related to the Clop ransomware operation.

Ultimately, Microsoft claims a Cobalt Strike beacon was deployed and used to spread laterally through the network while stealing data using the MegaSync file-sharing app.

In addition to Clop, Microsoft claims that some intrusions have led to LockBit ransomware attacks. However, it is not clear if these attacks started after the exploits were published.

Microsoft recommends that administrators apply available patches as soon as possible because other threat actors will likely start exploiting vulnerabilities.

A prime target for Clop

Exploitation of PaperCut servers fits a general pattern we have observed with the Clop ransomware gang over the past three years.

While Operation Clop always encrypts files during attacks, they told BleepingComputer they prefer to steal data to extort companies to pay a ransom.

This change in tactics was first seen in 2020 when Clop exploited a Zero Day Accellion FTA vulnerability to steal the data of about 100 companies.

The Clop gang recently used zero-day vulnerabilities in the GoAnywhere MFT secure file sharing platform for steal data from 130 companies.

PaperCut includes a ‘Printing Archiving‘ which logs all print jobs and documents sent through the server, making it a good candidate for data exfiltration attacks from the operation.

All organizations using PaperCut MF or NG are strongly advised to upgrade to 20.1.7, 21.2.11 and 22.0.9 immediately and later to fix these vulnerabilities.

Update of 04/27/28: The Clop ransomware operation confirmed to BleepingComputer that they were behind the attacks on PaperCut servers, which they began exploiting on April 13.

However, they said they used the vulnerabilities for initial access to networks, rather than to steal documents from the server itself.

In response to our questions about the LockBit attacks, Microsoft said it had nothing further to share.