{"id":21877,"date":"2023-05-01T05:18:15","date_gmt":"2023-05-01T13:18:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/05\/01\/news-15608\/"},"modified":"2023-05-01T05:18:15","modified_gmt":"2023-05-01T13:18:15","slug":"news-15608","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/05\/01\/news-15608\/","title":{"rendered":"LockBit and Cl0p ransomware gangs actively exploiting Papercut vulnerabilities"},"content":{"rendered":"<p>A few days ago we wrote about two <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/update-your-papercut-application-servers-now-exploits-in-the-wild\">vulnerabilities found in PaperCut application servers<\/a>. As we noted, exploitation was fairly simple so there was some urgency to install the patches. My esteemed colleague Chris Boyd literally wrote:<\/p>\n<blockquote><p>&ldquo;Arbitrary code can be deployed, or even ransomware if that&rsquo;s part of the attacker&rsquo;s toolkit.&rdquo;<\/p><\/blockquote>\n<p>As it turns out, there are already two flavors of ransomware preying on those that haven&rsquo;t updated yet.<\/p>\n<p>A Cl0p affiliate, branded as <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1651346653901725696\" target=\"_blank\" rel=\"nofollow\">DEV-0950 by Microsoft<\/a> has already incorporated the PaperCut exploits into its attacks. This affiliate has also been known to use the <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/02\/goanywhere-zero-day-opened-door-to-clop-ransomware\">GoAnywhere zero-day that basically brought Cl0p back<\/a> from the dead last month.<\/p>\n<p>In a surprising turn of events for the ransomware landscape, Cl0p emerged as the most used ransomware in <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/04\/ransomware-review-april-2023\">March 2023<\/a>, coming out of nowhere to dethrone the usual frontrunner, LockBit.<\/p>\n<figure style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/easset_upload_file15701_265901_e.jpg\" alt=\"Known ransomware attacks in March 2023, listed by gang\" caption=\"false\" width=\"700\" height=\"439\" \/><figcaption>Known ransomware attacks in March 2023, listed by gang<\/figcaption><\/figure>\n<p>But don&rsquo;t rule the&nbsp;habitual frontrunner LockBit out just yet. Microsoft Threat Intelligence <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1651346664630755334\" target=\"_blank\" rel=\"nofollow\">said in a tweet<\/a> that it&#8217;s &#8220;monitoring other attacks also exploiting these vulnerabilities, including intrusions leading to Lockbit deployment.&rdquo;<\/p>\n<div>\n<p>PaperCut is printing management software that works by intercepting print jobs as they pass into a print queue. It&rsquo;s used by large companies, state organizations, and education institutes because it is compatible with all major printer brands and platforms. This makes a vulnerability, especially one that is as easy to exploit, a virtual goldmine for ransomware peddlers, and puts a bullseye on anyone that is running an unpatched server.<\/p>\n<p>Both the underlying vulnerabilities have been addressed with patches. If you update your PaperCut application servers, you are no longer at risk. From the&nbsp;<a href=\"https:\/\/www.papercut.com\/kb\/Main\/PO-1216-and-PO-1219%23faqs\" target=\"_blank\" rel=\"nofollow\">Updating FAQ<\/a>:<\/p>\n<ul type=\"disc\">\n<li>Please&nbsp;<a href=\"https:\/\/www.papercut.com\/kb\/Main\/Upgrading\" target=\"_blank\" rel=\"nofollow\">follow your usual upgrade procedure<\/a>. Additional links on the &lsquo;Check for updates&rsquo; page (accessed through the&nbsp;<strong>Admin interface &gt; About &gt; Version info &gt; Check for updates<\/strong>) will allow customers to download fixes for previous major versions which are still supported (e.g. 20.1.7 and 21.2.11) as well as the current version available.<\/li>\n<li>If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the &lsquo;About&rsquo; tab in the PaperCut admin interface.<\/li>\n<\/ul>\n<p>If you&rsquo;re unable to upgrade, PaperCut advises the following:<\/p>\n<ul>\n<li>Block all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default)<\/li>\n<li>Block all traffic inbound to the web management portal on the firewall to the server. Note: this will prevent lateral movement from internal hosts but management of the PaperCut service can only be performed on that asset.<\/li>\n<li>Apply &ldquo;Allow list&rdquo; restrictions under <strong>Options &gt; Advanced &gt; Security &gt; Allowed site server IP addresses<\/strong>. Set this to only allow the IP addresses of verified Site Servers on your network. Note this only addresses ZDI-CAN-19226 \/ PO-1219.<\/li>\n<\/ul><\/div>\n<h2>How to avoid ransomware<\/h2>\n<ul>\n<li><strong>Block common forms of entry<\/strong>. Create a plan for <a href=\"https:\/\/www.malwarebytes.com\/business\/vulnerability-patch-management\">patching vulnerabilities<\/a> in internet-facing systems quickly; disable or <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/03\/blunting-rdp-brute-force-attacks-with-rate-limiting\">harden remote access<\/a> like RDP and VPNs; use <a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">endpoint security software<\/a> that can detect exploits and malware used to deliver ransomware.<\/li>\n<li><strong>Detect intrusions<\/strong>. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use <a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">EDR<\/a> or <a href=\"https:\/\/www.malwarebytes.com\/business\/managed-detection-and-response\">MDR<\/a> to detect unusual activity before an attack occurs.<\/li>\n<li><strong>Stop malicious encryption<\/strong>. Deploy Endpoint Detection and Response software like <a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">Malwarebytes EDR<\/a> that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.<\/li>\n<li><strong>Create offsite, offline backups<\/strong>. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.<\/li>\n<li><strong>Don&rsquo;t get attacked twice.<\/strong> Once you&#8217;ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.<\/li>\n<\/ul>\n<hr \/>\n<p dir=\"ltr\">Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.malwarebytes.com\/business\/contact-us\/\" class=\"blue-cta-bttn\">TRY NOW<\/a><\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/lockbit-and-cl0p-are-actively-exploiting-papercut-vulnerabilities\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/ransomware\" rel=\"category tag\">Ransomware<\/a><\/p>\n<p>Tags: PaperCut<\/p>\n<p>Tags:  Cl0p<\/p>\n<p>Tags:  LockBit<\/p>\n<p>Vulnerabilities in PaperCut printing management are being used in ransomware attacks.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/lockbit-and-cl0p-are-actively-exploiting-papercut-vulnerabilities\" title=\"LockBit and Cl0p ransomware gangs actively exploiting Papercut vulnerabilities\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/lockbit-and-cl0p-are-actively-exploiting-papercut-vulnerabilities\">LockBit and Cl0p ransomware gangs actively exploiting Papercut vulnerabilities<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[24873,24616,32,29216,3765],"class_list":["post-21877","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cl0p","tag-lockbit","tag-news","tag-papercut","tag-ransomware"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21877","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21877"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21877\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}