Microsoft has confirmed that PaperCut servers are being actively exploited by Lace Tempest, a financially motivated actor, in order to deliver Cl0p and LockBit ransomware families.
They are using PowerShell commands to steal LSASS credentials and inject TrueBot payloads into conhost.exe.
Cobalt Strike Beacon is then used to move laterally across the network and exfiltrate files.
Lace Tempest is also known to leverage Fortra GoAnywhere MFT exploits and Raspberry Robin infections.
Microsoft has also noted that other clusters of activity are weaponizing the same flaws, leading to LockBit ransomware infections.
FIN7 is exploiting the Veeam flaw CVE-2023-27532 to distribute POWERTRASH and the Mirai botnet authors are exploiting the TP-Link Archer WiFi Router Bug CVE-2023-1389 to co-opt devices into the botnet and launch DDoS attacks.
๐ Feeling the vibes?
Keep the good energy going by checking out my Amazon affiliate link for some cool finds! ๐๏ธ
If not, consider contributing to my caffeine supply at Buy Me a Coffee โ๏ธ.
Your clicks = cosmic support for more awesome content! ๐๐
Leave a Reply