Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The threat intelligence team of the large technology company attributed a subset of these intrusions to a financially motivated actor tracked under the name Lace Tempest (formerly DEV-0950). This actor has been observed executing various PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service. A Cobalt Strike beacon implant was then deployed to perform reconnaissance, move laterally across the network using WMI, and exfiltrate files of interest via the MegaSync file-sharing service. Lace Tempest has also leveraged Fortra GoAnywhere MFT exploits and initial access obtained through Raspberry Robin infections. Microsoft confirmed that the threat actor had incorporated the PaperCut flaws (2023-27350 and CVE-2023-27351) into their attack toolkit starting April 13. Additionally, a separate cluster of activities has been detected that is weaponizing the same flaws, including those leading to LockBit ransomware infections. The Russian cybercrime group FIN7 has also been connected to attacks exploiting unpatched Veeam backup software instances to distribute POWERTRASH, and the authors of the Mirai botnet have updated their malware to include CVE-2023-1389, a high-level flaw in TP-Link Archer AX21 routers. These threats have been mitigated before fully materializing, and the only recommended action to address this vulnerability is to apply the patch.
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.
Source: Hackernews