PaperCut logo

Hackers use PaperCut printer vulnerability to spread Clop ransomware

Hackers linked to the Clop ransomware operation are exploiting two recently-disclosed vulnerabilities in print management software PaperCut to steal corporate data from victims.

In a series of tweets posted Wednesday, Microsoft said they attributed the attacks to a threat actor they track as Lace Tempest — a group whose activities overlap with FIN11 and TA505. The financially-motivated hacking group operates as a Clop affiliate, meaning they carry out attacks and deploy Clop ransomware, earning a commission for successful extortions.

Since at least April 13, Lace Tempest has been exploiting two PaperCut vulnerabilities — CVE-2023-27350 and CVE-2023-27351 — to deliver Clop ransomware, according to Microsoft. Last week, the Cybersecurity and Infrastructure Security Agency warned that hackers had exploited the vulnerabilities to gain access to unpatched servers on customer networks.

PaperCut published its first advisory about the issue on March 8, releasing a fix for the bug. The company said it was informed of the vulnerabilities by Trend Micro researchers on January 10.

The bugs allowed hackers to remotely access victim systems, and extract information about users stored within a customer’s servers, including usernames, full names, email addresses, and payment card numbers associated with the accounts.

PaperCut produces printing management software for Canon, Epson, Xerox, and almost every other major printer brand. Its tools are used by more than 70,000 organizations, including government agencies, universities, and large companies around the world.

According to Microsoft, Lace Tempest used several PowerShell commands to deliver a TrueBot malware downloader to targeted systems. TrueBot was created by a Russian-speaking hacking group known as Silence that is responsible for several high-impact attacks on financial institutions in several countries around the world.

In previous attacks, Lace Tempest has been observed using Fortra’s GoAnywhere file transfer product exploits and the Raspberry Robin worm to deliver ransomware — two techniques that are commonly associated with the Clop ransomware group.

“We’re monitoring other attacks also exploiting these vulnerabilities, including intrusions leading to Lockbit deployment,” Microsoft said, referring to another major ransomware operation. “More threat actors could follow suit.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.