PaperCut Vulnerabilities Patched
PaperCut, a popular print management software solution, recently faced two significant vulnerabilities that ransomware gangs actively exploited. These vulnerabilities have now been patched by the company to eliminate potential risks.
Table of Contents
CVE-2023-27350: Unauthenticated Remote Code Execution Flaw
This vulnerability has a CVSS v3.1 score of 9.8, indicating a critical risk level. The unauthenticated remote code execution flaw allowed attackers to execute arbitrary code on vulnerable systems without any type of authentication, giving them unrestricted access to sensitive data and the ability to compromise networks. Adding further concerns to the severity of this vulnerability is the fact that proof of concept code was released, providing a guideline for more cybercriminals to exploit this flaw easily.
CVE-2023-27351: Unauthenticated Information Disclosure Flaw
The second vulnerability, CVE-2023-27351, has a CVSS v3.1 score of 8.2, which is considered high risk. This flaw allowed unauthenticated information disclosure, meaning attackers could access sensitive data without needing valid credentials. Exploiting this vulnerability would enable cybercriminals to gain valuable information and potentially use it for more precise targeted attacks. While not as critical as the remote code execution flaw, this vulnerability still posed a considerable threat to users' security and privacy.
Proof of Concept Code Released
The proof of concept (PoC) code made available to the public heightened the risks associated with these vulnerabilities. This PoC code provided a roadmap for potential attackers to exploit these flaws even without extensive technical knowledge. Releasing PoC code is a double-edged sword; while it aids in spreading awareness about security flaws and helps security researchers develop patches, it also provides would-be attackers with a blueprint to conduct attacks. The patches released for these vulnerabilities are critical to ensure the security of PaperCut users and their networks.
Malicious Actors Exploiting PaperCut Vulnerabilities
As the PaperCut vulnerabilities became known, various ransomware gangs quickly started actively exploiting them. Among these malicious actors were Lace Tempest and LockBit ransomware strains, both targeting vulnerable PaperCut servers to infiltrate networks and deploy their ransomware payloads.
Lace Tempest (Clop Ransomware Affiliate) Targeting Vulnerable Servers
Lace Tempest, an affiliate of the well-known Clop ransomware group, was one of the first malicious actors to exploit the PaperCut vulnerabilities. By using the unauthenticated remote code execution and information disclosure flaws, Lace Tempest managed to compromise vulnerable servers, gaining unrestricted access to sensitive data and networks. Once inside these compromised systems, Lace Tempest deployed Clop ransomware, encrypting files and demanding ransoms to release the decryption keys.
By employing sophisticated methods such as PowerShell commands, command and control server connections, and the Cobalt Strike Beacon, Lace Tempest has successfully infiltrated systems and delivered its ransomware payload.
LockBit Ransomware Strain Also Targeting PaperCut Servers
LockBit, another notorious ransomware strain, has also been actively exploiting PaperCut server vulnerabilities. Similar to Lace Tempest's strategy, LockBit exploited the unauthenticated remote code execution and information disclosure flaws to infiltrate vulnerable systems. With access to sensitive data and internal networks, LockBit deployed its ransomware payload, leading to encrypted files and ransom demands. The rapid adoption of these vulnerabilities by malicious actors such as LockBit and Lace Tempest highlights the severity of these PaperCut flaws and emphasizes the importance of regularly patching and updating software to protect against cyber threats.
Using PowerShell Commands to Deliver TrueBot DLL
Lace Tempest's attacks often begin with the execution of PowerShell commands, which they use to deliver a malicious TrueBot DLL (Dynamic Link Library) file to the targeted system. This DLL file is then loaded onto the system, and serves as a building block for further malicious activities, such as establishing connections to command and control servers and downloading additional malware components.
Connects to a Command and Control Server
Once the TrueBot DLL is in place, Lace Tempest's malware connects to a command and control (C2) server. This connection allows the attackers to send commands and receive data from the compromised system, facilitating data exfiltration and enabling the deployment of additional malware components or tools, such as the Cobalt Strike Beacon.
Utilizing Cobalt Strike Beacon for Ransomware Delivery
Lace Tempest often uses the Cobalt Strike Beacon as part of its attack chain. Cobalt Strike is a legitimate penetration testing tool, which includes a post-exploitation agent called the "Beacon." Unfortunately, cybercriminals like Lace Tempest have repurposed this tool for their malicious objectives. In this case, they use the Cobalt Strike Beacon to deliver Clop ransomware to the targeted systems. Once the ransomware is deployed, it encrypts files on the system and demands a ransom for decryption keys, effectively holding the victims' data hostage.
Shift in Ransomware Operations
There has been a noticeable shift in the operations of ransomware gangs, such as Clop, in recent years. Instead of relying solely on encrypting data and demanding ransoms for decryption keys, attackers are now prioritizing stealing sensitive data for extortion purposes. This change in tactics has made cyberattacks even more threatening, as malicious actors can now leverage the stolen data to force victims into paying ransoms, even if they have sound backup strategies in place.
Focus on Stealing Data for Extortion
Ransomware gangs have realized that stealing data for extortion purposes can yield more lucrative results than simply relying on encryption to hold victims hostage. By exfiltrating sensitive information, attackers can now threaten to publish or sell the stolen data on the dark web, potentially causing significant financial and reputational damage to organizations. This added pressure increases the likelihood of victims paying the demanded ransoms.
Prioritizing Data Theft in Attacks
In line with this shift, ransomware gangs like Lace Tempest have started prioritizing data theft in their attacks. By developing sophisticated attack tactics such as using PowerShell commands, the TrueBot DLL, and the Cobalt Strike Beacon, these malicious actors are able to infiltrate vulnerable systems and exfiltrate data before encrypting it, effectively increasing their chances of a successful extortion.
Clop Gang’s History with Exploiting Vulnerabilities for Data Exfiltration
The Clop gang has a history of exploiting vulnerabilities for data exfiltration purposes. For instance, in 2020, Clop operatives successfully hacked Global Accellion and stole data from approximately 100 companies using disclosed vulnerabilities in the company's File Transfer Appliance application. More recently, the Clop gang utilized zero-day vulnerabilities in the GoAnywhere MFT secure file-sharing platform to steal data from 130 companies. This pattern of exploiting vulnerabilities for data theft, combined with the ever-evolving ransomware landscape, highlights the need for organizations to adopt robust security measures and maintain up-to-date software to protect their critical assets.