Microsoft Confirms PaperCut Server Used to Deliver LockBit and Cl0p Ransomware

Microsoft has confirmed that active exploitation of PaperCut servers is related to an attack designed to deliver the Cl0p and LockBit ransomware families.

The tech giant’s threat intelligence team links a subset of intrusions to financially motivated actors it tracks by name Tempest lace (formerly DEV-0950), which overlaps with other hacking groups such as FIN11, TA505, and Evil Corp.

“In the attack observed, Lace Tempest executed several PowerShell commands to send a TrueBot DLL, which connected to server C2, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service,” Microsoft said in a series of tweets.

The next phase of the attack involves deploying the Cobalt Strike Beacon implant to perform reconnaissance, move laterally across the network using WMI, and extract files of interest via the file sharing service MegaSync.

Lace Tempest is an affiliate of the Cl0p ransomware that is said to have leveraged the MFT Fortra GoAnywhere exploit as well as early access gained via the Raspberry Robin infection (attributed to another actor dubbed DEV-0856).

Raspberry Robin, also known as the QNAP worm, is believed to be access-as-a-service malware used as a delivery vehicle for later-stage payloads such as IcedID, Cl0p, and LockBit. It is known combine various obfuscation, anti-debugging, and anti-virtual machine measures to avoid detection.

Microsoft said the threat actor incorporated the PaperCut vulnerabilities (2023-27350 and CVE-2023-27351) into its attack kit on April 13, corroborating the Melbourne-based print management software provider’s initial assessment.

The successful exploitation of two security vulnerabilities could allow unauthenticated remote attackers to achieve arbitrary code execution and gain unauthorized access to sensitive information.

A separate cluster of activity has also been detected weaponizing the same vulnerability, including the one that led to the LockBit ransomware infection, Redmond further added.

FIN7 Exploit Veeam Flaw CVE-2023-27532

This development comes as Russian cybercrime groups are monitoring when FIN7 has been linked to an attack that exploits an unpatched instance of Veeam backup software to distribute POWERTRASH, a PowerShell-based in-memory dropper that executes embedded payloads.

The activity was detected by WithSecure on March 28, 2023, possibly involving abuse CVE-2023-27532, a high-severity flaw in Veeam Backup & Replication that allows an unauthenticated attacker to obtain encrypted credentials stored in the configuration database and gain access to the infrastructure host. It was patched last month.

“Threat actors use a series of commands and special scripts to collect host and network information from compromised machines,” said the Finnish cybersecurity firm. said. “In addition, a series of SQL commands were executed to steal information from the Veeam backup database.”

Also used in the attack are custom PowerShell scripts to retrieve stored credentials from backup servers, gather system information, and set up an active foothold on the compromised host by executing DICELOADER (aka Lizar or Tirion) each time the device boots up.

The hitherto undocumented persistence script has been codenamed POWERHOLD, with the DICELOADER malware decoded and executed using another unique loader referred to as DUBLOADER.

“The aims of these attacks were unclear at the time of writing, as they were mitigated before they were fully realized,” said security researchers Neeraj Singh and Mohammad Kazem Hassan Nejad, adding the findings demonstrated the group’s evolving trading and modus operandi.

POWERHOLD and DUBLOADER are far from the only new malware that FIN7 has added to its arsenal of attacks. IBM Security X-Force recently highlighted a loader and backdoor called Domino which is designed to facilitate advanced exploits.

Mirai Botnet Exploits TP-Link Archer WiFi Router Bug

In a related development, the Zero Day Initiative (ZDI) revealed that the authors of the Mirai botnet had updated their malware to include CVE-2023-1389, a high-level flaw in the TP-Link Archer AX21 router that could allow an unauthenticated adversary to execute arbitrary code on affected installation.

Problem (CVE-2023-1389CVSS score: 8.8) was demonstrated at the Pwn2Own hacking contest held in Toronto in December 2022 by researchers from Team Viettel, prompting the vendor to issue a fix by March 2023.

The first signs of an in-the-wild exploit, per ZDI, appeared on April 11, 2023, with threat actors exploiting the flaw to make HTTP requests to Mirai’s command-and-control (C2) server to download and execute the payload responsible for co-opting the device. into the botnet and launch a DDoS attack against the game server.

“This is nothing new for the Mirai botnet maintainers, who are known to quickly exploit IoT devices to maintain their foothold in the enterprise,” ZDI threat researcher Peter Girnus said. “Apply this patch is the only recommended action to address this vulnerability.”