December 11, 2023

Microsoft has claimed that recent attacks exploiting two vulnerabilities in the PaperCut print management software are likely the result of a Clop ransomware affiliate.

The two vulnerabilities in tracked as CVE-2023–27350 a critical unauthenticated remote code execution flaw with a CVSS score of 9.8 and CVE-2023–27351 a high severity unauthenticated information disclosure flaw.

PaperCut alerted users that the vulnerabilities were being exploited in the wild and urged customers to update their servers immediately.


Microsoft Threat Intelligence attributed recent attacks exploiting the bugs to “Lace Tempest,” a threat actor it overlaps with FIN11 and TA505. FIN11 is linked to the infamous Clop ransomware gang, while TA505 is linked with Dridex banking Trojan and Locky ransomware.

Lace Tempest is a Clop ransomware affiliate that has previously been detected using GoAnywhere exploits and Raspberry Robin malware in ransomware campaigns. Microsoft said the threat group exploited the PaperCut bugs in attacks as early as April 13.

Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service.


Then, Lace Tempest delivered a Cobalt Strike Beacon implant, conducted reconnaissance on connected systems, and moved laterally using WMI. The actor then identified and exfiltrated files of interest using the file-sharing app MegaSync.

Microsoft added that other groups may also be exploiting the two PaperCut vulnerabilities in the wild. Some intrusions had led to the deployment of the prolific LockBit ransomware

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.