Fraud Management & Cybercrime , Governance & Risk Management , Patch Management

Ransomware Hackers Exploit PaperCut Bugs

Clop and LockBit Spotted Exploiting Unpatched Print Management Software
Ransomware Hackers Exploit PaperCut Bugs

An affiliate of the Russian-speaking Clop ransomware-as-a-service gang and the LockBit cybercrime group are each actively exploiting vulnerabilities in popular print management software.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

The computing giant said a Clop-affiliated hacking group it identifies as Lace Tempest - also known as FIN11- is behind a spate of attacks exploiting two recently patched vulnerabilities in software made by Australian firm PaperCut.

PaperCut began urging customers to update their software earlier this month after receiving customer reports of suspicious activity exploiting bugs that had been patched in March.

The company said the earliest indicator of hackers using a remote code execution flaw on the PaperCut Application Server, tracked as CVE-2023–27350, occurred on April 14. Microsoft said it appears Lace Tempest incorporated the PaperCut exploit into attacks as early as April 13.

Cybersecurity firm Trend Micro added urgency to patching exhortations after it said it had spotted attacks in the wild. In a Thursday update, TrendMicro said it had spotted hackers using the flaw to deploy LockBit ransomware.

The Redmond giant said Lace Tempest deploys Truebot, a malware downloader that's a known precursor to Clop ransomware.

Ransomware gangs aren't the only hackers jumping on the PaperCut flaw. Huntress said it found a hacker attempting to deploy a Monero crypto miner.

The remote code execution flaw propelling the attacks wasn't the only bug PaperCut patched in March. It also fixed CVE-2023-27351, a flaw the company said allows "under certain circumstances" an unauthenticated attacker to pull information about a user stored within PaperCut software including usernames, full names, email addresses and hashed passwords for PaperCut-created users - but not password hashes synced from sources such as Active Directory. PaperCut said there is no evidence of this vulnerability being exploited.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.