TLP: CLEAR - This information may be shared publicly
eSentire’s Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
PaperCut Vulnerability PoC Released
2023/04/25
Microsoft Zero-Day Vulnerability Abused in Nokoyawa Ransomware Attacks
2023/04/12
Increase in Observations of Qakbot Malware
2023/04/11
Bottom Line: Organizations must prioritize patching known vulnerabilities with high exploitation potential. Failure to do so can lead to network-wide ransomware deployment and other malicious activities. The recent exploitation of PaperCut vulnerabilities demonstrates the need for swift action.
In a series of recent attacks, the CLOP ransomware affiliate group Lace Tempest (DEV-0950) was observed exploiting PaperCut vulnerabilities CVE-2023-27350 and CVE-2023-27351. These vulnerabilities were initially patched on March 8th, 2023, and Horizon3 provided further details on April 24th, 2023, after PaperCut became aware of in-the-wild exploitation on April 19th, 2023.
CVE-2023-27350 allows an attacker to achieve remote code execution and compromise the PaperCut application server. This vulnerability is due to improper access control within the SetupCompleted class, enabling attackers to bypass authentication and execute arbitrary code. Exploitation of this vulnerability can be achieved by abusing the built-in "Scripting" functionality for printers.
The impact of the PaperCut vulnerabilities is significant, with approximately 1,700 internet-exposed PaperCut servers found by querying Shodan. The software is popular among State, Local, and Education (SLED) organizations, with education making up 450 of the results.
Lace Tempest has been exploiting the PaperCut vulnerabilities since at least April 13th, 2023. In observed attacks, threat actors delivered a TrueBot DLL via PowerShell commands, connected to attacker Command and Control (C2) servers, attempted to steal LSASS credentials, and injected the TrueBot payload in conhost.exe. The attackers went on to deploy Cobalt Strike, conduct reconnaissance, move laterally using the Windows Management Interface (WMI), and exfiltrate data via the file-sharing application MegaSync.
eSentire MDR for Network has detections in place to identify exploitation attempts against PaperCut. The eSentire Threat Intelligence team has been tracking CLOP since 2021, and eSentire has a variety of detections in place for tools and techniques known to be employed by the group.
The rapid exploitation of recently disclosed vulnerabilities by ransomware groups like CLOP highlights the importance of quickly identifying and remediating severe vulnerabilities. Organizations must ensure that a vulnerability management service is in place to aid in this process.
Organizations that have not yet patched the PaperCut vulnerabilities should assume a breach and apply the available patches immediately. The eSentire Threat Intelligence team released an advisory on the PaperCut vulnerabilities on April 25th, outlining actions taken to protect clients and steps clients should take to mitigate the risk of exploitation.
Considering the technical abilities of the threat actors and their history of exploiting recently disclosed vulnerabilities, it is almost certain that Lace Tempest and other CLOP affiliates will continue to carry out campaigns and adapt their techniques to minimize detections.
Bottom Line: Backup and replication software is a prime target for both financially motivated threat actors and APT groups. The FIN7 threat actors have recently been observed targeting Veeam Backup & Replication software for initial access into victim organizations.
Researchers from WithSecure Intelligence have identified a recent FIN7 campaign targeting organizations running internet facing Veeam Backup & Replication servers. FIN7 is a financially motivated threat actor group that has been active since at least 2012. The group has consistently updated their tactics and tooling to remain relevant and successful in the threat landscape.
In the recently observed campaign starting in March 2023, FIN7 gained initial access to victim organizations via Veeam. While not confirmed, it is suspected that FIN7 exploited the recently disclosed Veeam vulnerability CVE-2023-27532 (CVSS: 7.5). Exploitation of this vulnerability allows threat actors to gain access to the backup infrastructure host.
After initial access was gained, FIN7 went on to deploy a variety of different malware types, including one previously unidentified loader.
The recent attacks were disrupted prior to threat actors completing their objectives. Due to this, the attacker end goals have not been identified. FIN7 has recently conducted ransomware attacks involving a variety of different ransomware types, and there is a high-probability that these recent campaigns would result in ransomware deployment. In response to this report, the eSentire Threat Intelligence team performed threat hunts across our client base for Indicators of Compromise (IoCs) associated with FIN7. Additionally, eSentire Managed Vulnerability Service (MVS) has plugins in place to identify CVE-2023- 27532. eSentire has tracked FIN7 activity for years and has a wide variety of detections in place to identify known FIN7 tools and techniques.
The recent compromise of Veeam Backup & Replication servers by the FIN7 cybercrime group highlights the importance of securing backups. Backups are a prime target for ransomware deployment and a one- stop shop for information theft. Attackers can compromise backup servers to steal sensitive data, compromise the integrity of backups, and deploy ransomware to extort money from the victims. Additionally, encryption of backup systems could render a business continuity plan useless if they do not have a secondary isolated backup solution. This would give threat actors such as FIN7 leverage in negotiations.
The FIN7 attacks show how opportunistic attackers can take advantage of known vulnerabilities to compromise critical systems, even if their objective initially seems unclear. Opportunistic attacks highlight the importance of patching vulnerabilities promptly, implementing security best practices, and monitoring systems for signs of compromise to prevent data breaches and ransomware attacks.
Bottom Line: This incident further demonstrates the nexus between cyber operations and information warfare (foreign influence campaigns). This highlights the importance of protecting the democratic voting processes, election infrastructure, and public integrity.
At RSA 2023, CISA and the Cyber National Mission Force (CNMF) disclosed a campaign executed by Iranian state sponsored threat actors in 2020, targeting US election infrastructure. In 2020, an Iranian state- sponsored APT group tracked as Pioneer Kitten (aka. PARISITE, UNC757, Fox Kitten) was able to gain access to a city’s local infrastructure used for recording voting results. After discovery, the threat actors were removed from the environment without any major impact, and steps were taken to prevent follow on incidents. CNMF states that major concerns were sounding this type of attack; “Our concern is always that some type of website defacement, some type of DDoS attack, something that took the website down or defaced the website, say on the night of the election, could make it look like the vote had been tampered with, when that's absolutely not true.”
CISA and CNMF disclosed other more recent attacks performed by state-sponsored threat actor groups targeting government organizations. CNMF coordinated with CISA to disrupt a campaign being carried about by the Chinese state-sponsored APT group Hafnium; additional details were not provided. CISA stated that it has recently detected intrusions impacting three civil federal agencies, but the attacks have not been attributed to any specific group at this time.
Cities and government organizations are high-value targets for both financially motivated cyber criminals and state-sponsored threat actor groups. Financially motivated threat actors have a long history of targeting cities and government entities to deploy ransomware; related outages are highly impactful and have prevented public services from functioning. State-sponsored threat actors are more likely to target governments for espionage-related purposes. This is not the first time that Iranian APTs have targeted organizations related to US elections. In November 2020, CISA and the FBI warned that Iran was actively spreading misinformation related to the 2020 election and targeting U.S. state websites, including election sites, in “an intentional effort to influence and interfere with the 2020 U.S. presidential election.”
State sponsored attacks against election infrastructure are highly concerning. These attacks may be performed for various purposes ranging from directly impacting elections to citizens' trust in the election process. Election related attacks and influence campaigns have been identified as being performed by various state actors against multiple countries, and this trend is expected to continue.
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.