Clop and LockBit ransomware affiliates are behind the recent attacks exploiting vulnerabilities in PaperCut application servers, according to Microsoft and Trend Micro researchers.
“Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest,” Microsoft shared.
“Lace Tempest is a Clop ransomware affiliate that has been observed using GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. The threat actor incorporated the PaperCut exploits into their attacks as early as April 13.”.
The attackers run a PowerShell script via the exploited app and download the LockBit ransomware from a temporary hosting site.
Clop and LockBit ransomware-as-a-service affiliates are among the five most active ransomware threat actors.
Trend Micro says the LockBit affiliate is exploiting just the former.