ShiftDelete.Net Global

PaperCut servers exploited for ransomware attacks

Ana sayfa / CyberSecurity

Microsoft has confirmed the active exploitation of PaperCut servers in connection with attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant’s threat intelligence team attributes a subset of the intrusions to a financially motivated actor known as Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups such as FIN11, TA505, and Evil Corp.

Lace tempest’s attack strategy

In observed attacks, Lace Tempest executed multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service. The next phase of the attack involved deploying the Cobalt Strike Beacon implant for conducting reconnaissance, moving laterally across networks using WMI, and exfiltrating files of interest via the file-sharing service MegaSync.

Lace Tempest, a Cl0p ransomware affiliate, has previously exploited Fortra GoAnywhere MFT and gained initial access via Raspberry Robin infections (attributed to another actor known as DEV-0856). Raspberry Robin, also referred to as the QNAP worm, is believed to be an access-as-a-service malware used for delivering next-stage payloads such as IcedID, Cl0p, and LockBit.

Microsoft reported that the threat actor incorporated PaperCut flaws (2023-27350 and CVE-2023-27351) into its attack toolkit as early as April 13, supporting the Melbourne-based print management software provider’s earlier assessment. Successful exploitation of these security vulnerabilities could enable unauthenticated remote attackers to execute arbitrary code and gain unauthorized access to sensitive information. A separate cluster of activity has also been detected weaponizing the same flaws, including those leading to LockBit ransomware infections.

FIN7 exploits Veeam flaw CVE-2023-27532

In a separate development, the Russian cybercrime group known as FIN7 has been linked to attacks exploiting unpatched PaperCut server instances to distribute POWERTRASH, a staple PowerShell-based in-memory dropper that executes embedded payloads.

The activity, detected by WithSecure on March 28, 2023, likely involved the abuse of CVE-2023-27532, a high-severity flaw in Veeam Backup & Replication that allows an unauthenticated attacker to access encrypted credentials stored in the configuration database and gain access to infrastructure hosts. It was patched last month.

FIN7 used a series of commands and custom scripts to gather host and network information from compromised machines and executed SQL commands to steal information from the Veeam backup database. Custom PowerShell scripts were also utilized to retrieve stored credentials from backup servers, gather system information, and establish an active foothold in the compromised host by executing DICELOADER (aka Lizar or Tirion) every time the device boots up.

These findings highlight the group’s evolving tradecraft and modus operandi. It’s worth noting that the objectives of these attacks were unclear at the time of writing, as they were mitigated before fully materializing.

Mirai Botnet Exploits TP-Link Archer WiFi Router Bug

In another related development, the Zero Day Initiative (ZDI) disclosed that Mirai botnet authors have updated their malware to include CVE-2023-1389, a high-severity flaw in TP-Link Archer AX21 routers that could allow an unauthenticated adversary to execute arbitrary code on affected installations. CVE-2023-1389 (CVSS score: 8.8) was demonstrated at the Pwn2Own hacking contest in December 2022 by researchers from Team Viettel, prompting the vendor to issue fixes in March 2023.

The first signs of in-the-wild exploitation, according to ZDI, emerged on April 11, 2023, with threat actors leveraging the flaw to make an HTTP request to Mirai command-and-control (C2) servers. This allowed them to download and execute payloads responsible for incorporating the affected devices into the botnet and launching DDoS attacks against game servers.

Mirai Botnet’s Rapid Exploitation of IoT Devices

The Mirai botnet operators are notorious for quickly exploiting IoT devices, like the PaperCut servers, to maintain their presence in an enterprise, highlighting the need for timely security patch application. ZDI threat researcher Peter Girnus recommends that applying the patch is the sole suggested action to resolve this vulnerability involving PaperCut.

These recent developments highlight the importance of proactive security measures and staying informed about emerging threats. Organizations must prioritize patching security vulnerabilities and invest in robust security solutions to protect against evolving cyber threats. Additionally, educating employees about best practices for cybersecurity can help minimize the risk of falling victim to ransomware attacks and other forms of cybercrime.

Yorum Ekleyin