![]() ![]() Microsoft tweets about cyberespionage threat actors Microsoft also reported about Lockbit deployments using the same vulnerability as the initial compromise vector. The group behind that operation is known to Microsoft as Lace Tempest, which previously exploited GoAnywhere and Raspberry Robin to deliver malware. Microsoft Threat Intelligence tweeted about recent attacks exploiting the PaperCut vulnerability to deliver Clop ransomware since April 13, 2023. The FBI even identified information relating to the download and execution of malware including DiceLoader, TrueBot and Cobalt Strike beacons although, it’s unclear about their use yet. The threat actor exploited the PaperCut vulnerability through the printing interface of the software to download and execute legitimate remote management and maintenance software to achieve their goal. The threat actor leaves a note on the affected systems asking for payment in cryptocurrency ( Figure A).įigure A Sample ransomware note from Bl00dy ransomware gang. How ransomware groups are actively exploiting this vulnerabilityĪccording to the FBI, the Bl00dy ransomware group gained access to victims’ networks across the Education Facilities Subsector, with some of these attacks leading to data exfiltration and encryption of those systems. While PaperCut does not have evidence of this vulnerability being used in the wild, a tweet from Microsoft mentions the use of the vulnerability without providing more information about it. The patch has been available since March 2023.Īnother vulnerability affecting PaperCut MF and NG software, CVE-2023-27351, allows an unauthenticated attacker to potentially pull information such as username, full names, email addresses, office information and any card numbers associated with the user. A banner at the top of the company’s site features a link to the communication, which is marked as urgent for all PaperCut NG and MF customers. PaperCut announced the vulnerability in March 2023 and then updated its website to indicate the company now has evidence to suggest that unpatched servers are being exploited in the wild. ![]() Those child processes benefit from the privileges of the pc-app.exe file, allowing the attackers to run code with high privileges on the server. The top 6 enterprise VPN solutions to use in 2023ĮY survey: Tech leaders to invest in AI, 5G, cybersecurity, big data, metaverseĮlectronic data retention policy (TechRepublic Premium)Ī pc-app.exe file on vulnerable PaperCut servers runs with SYSTEM or root-level privileges depending on the configuration and might be exploited to execute other processes such as cmd.exe for command line or powershell.exe for PowerShell scripts. Google offers certificate in cybersecurity, no dorm room required The new PaperCut vulnerability, CVE-2023-27350, affects different PaperCut MF and PaperCut NG software, allowing an attacker to bypass authentication and execute arbitrary code with SYSTEM privileges.
0 Comments
Leave a Reply. |