Microsoft has recently revealed that the Clop and LockBit ransomware gangs are responsible for the attacks on PaperCut servers, exploiting vulnerabilities to steal corporate data. In April, two vulnerabilities, CVE-2023-27350 and CVE-2023-27351, were fixed in the PaperCut Application Server, which allowed remote attackers to perform unauthenticated remote code execution and information disclosure. PaperCut disclosed on April 19th that these flaws were actively exploited in the wild and urged administrators to upgrade their servers to the latest version. A Proof of Concept (PoC) exploit for the remote code execution (RCE) flaw was released shortly after, enabling more threat actors to breach the servers using these exploits.
PaperCut is a printing management software compatible with all major printer brands and platforms, utilized by large companies, state organizations, and educational institutes worldwide. The company's website claims it is used by hundreds of millions of users in over 100 countries. Microsoft has attributed the recent PaperCut attacks to the Clop ransomware gang, which it tracks as 'Lace Tempest.' This threat actor's activity overlaps with FIN11 and TA505, both of which are linked to the Clop ransomware operation. Microsoft stated in a series of tweets, "Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505)."
According to Microsoft, the threat actor has been exploiting the PaperCut vulnerabilities since April 13th for initial access to corporate networks. After gaining access to the server, they deployed the TrueBot malware, which has also been previously linked to the Clop ransomware operation. Microsoft further reported that a Cobalt Strike beacon was deployed and used to spread laterally through the network, stealing data using the MegaSync file-sharing application. In addition to Clop, Microsoft says some intrusions have led to LockBit ransomware attacks, although it's unclear if these attacks began after the exploits were publicly released.
Microsoft recommends that administrators apply the available patches as soon as possible, as other threat actors will likely begin exploiting the vulnerabilities. The exploitation of PaperCut servers aligns with the Clop ransomware gang's general pattern over the past three years. While the Clop operation still encrypts files in attacks, they have told reporters that they prefer to steal data to extort companies into paying a ransom. This shift in tactics was first seen in 2020 when Clop exploited an Accellion FTA zero-day vulnerability to steal data from approximately 100 companies. More recently, the Clop gang utilized zero-day vulnerabilities in the GoAnywhere MFT secure file-sharing platform to steal data from 130 companies. PaperCut includes a 'Print Archiving' feature that saves all print jobs and documents sent through the server, making it a prime target for data exfiltration attacks from the operation. Organizations using PaperCut MF or NG are strongly advised to upgrade to versions 20.1.7, 21.2.11, and 22.0.9 immediately and later to fix these vulnerabilities.