Clop and LockBit

Microsoft: Clop and LockBit ransomware behind PaperCut server hacks

@ndma 28 Apr 2023

Threat Actor

  • Lace Tempest

  • FIN11

  • TA505

  • Clop and LockBit ransomware


Microsoft has attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware operations, which used the vulnerabilities to steal corporate data.

Last month, two vulnerabilities were fixed in the PaperCut Application Server that allows remote attackers to perform unauthenticated remote code execution and information disclosure:

  • CVE-2023–27350 / ZDI-CAN-18987 / PO-1216: Unauthenticated remote code execution flaw impacting all PaperCut MF or NG versions 8.0 or later on all OS platforms, for both application and site servers. (CVSS v3.1 score: 9.8 – critical)

  • CVE-2023–27351 / ZDI-CAN-19226 / PO-1219: Unauthenticated information disclosure flaw impacting all PaperCut MF or NG versions 15.0 or later on all OS platforms for application servers. (CVSS v3.1 score: 8.2 – high)

Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505).


Last updated