Researchers have linked leading ransomware groups Cl0p and LockBit to the ongoing exploitation of critical-rated vulnerabilities in print management software from PaperCut.
The vulnerabilities, CVE-2023-27350 and CVE-2023-27351, have a near maximum 9.8 severity score and have enabled remote code execution on vulnerable PaperCut servers since at least January 2023.
PaperCut was first alerted to the vulnerabilities by Trend Micro in January 2023 but alerts about active exploitation didn’t come until earlier this month.
In some instances, attackers used the flaws to spread Cl0p ransomware.
Microsoft Threat Intelligence tweeted that it has linked the attacks with Lace Tempest, a group it tracks also referred to as FIN11 or TA505.
The group has previously been linked with major cyber attacks such as the hacking of Accellion’s FTA in 2021, a campaign that affected major organizations such as Morgan Stanley.
Lace Tempest was observed using PowerShell commands to deliver TrueBot malware, which is used to check security protocols and deploy further malicious payloads.
It has also been tracked using the Raspberry Robin worm to load other malware including LockBit's ransomware payload.
RELATED RESOURCE
Microsoft also linked it to Cl0p’s GoAnywhere-related attacks, which may have affected more than 130 organizations and allowed for widespread enterprise extortion.
Like the PaperCut vulnerabilities, GoAnywhere’s flaw allowed Cl0p and other threat actors to execute arbitrary code on breached systems.
Organizations such as the Pension Protection Fund and Rubrik were hit by data breaches as a result of the flaw.
Microsoft Threat Intelligence moved to a new taxonomy for threat actors on April 18 using the nomenclature of weather events.
Nation states prominent for sponsoring threat actors have all been assigned their own weather events such as ‘Blizzard’ for Russia or ‘Sleet’ for North Korea. Threat groups under these banners are assigned unique prefixes so they are individually identifiable.
What are the PaperCut server attacks?
Cyber security firm Trend Micro notified PaperCut about two flaws present in PaperCut MF and NG version 22.0.5, and the firm released patches to prevent them from being exploited on customer servers.
The first, tracked as CVE-2023-27350 received a CVSS3 rating of 9.8 (critical). It can be used by threat actors to execute code remotely, opening up victims to unchecked malware attacks or data theft.
CVE-2023-27351 can be used to steal user data from servers including payment information, logins, and email addresses.
However, as late as mid-April some enterprises had not updated their printer servers and were still vulnerable.
It was at this stage that the firm announced it had evidence to suggest the vulnerabilities were being exploited in the wild.
“We’ve had reports of customers being late to patch, and as a result their servers have been exposed for a number of weeks,” said Chris Dance, CEO and founder at PaperCut wrote in a blog post.
CVE-2023-27350 has been added to CISA’s list of known exploited vulnerabilities, which requires federal agencies to apply PaperCut’s update by May 12.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
