Dev-0950

Lace Tempest, also known as DEV-0950 or TA-505, is a threat actor associated with the deployment of Clop ransomware. This group has been noted for its use of GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. Microsoft has attributed recent attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in PaperCut, a print management software, to this threat actor. These vulnerabilities have been leveraged by Lace Tempest to deliver Clop ransomware, posing significant cybersecurity threats. The threat actor incorporated the PaperCut exploits into their attack campaigns as early as April 13, according to Microsoft's security intelligence team. The exploitation of these vulnerabilities highlights the adaptive nature of Lace Tempest, which continuously incorporates new techniques and vulnerabilities into its arsenal to increase the effectiveness of its malicious activities. This evolution in tactics underscores the need for continuous monitoring and updating of cybersecurity defenses to keep pace with emerging threats. Microsoft’s threat intelligence team and SysAid’s Advisory have confirmed that the CVE-2023-27350 and CVE-2023-27351 vulnerabilities have been exploited in the wild by Lace Tempest. The confirmation of these exploits by two independent bodies lends credibility to the attribution and underscores the seriousness of the threat posed by Lace Tempest. This information serves as a critical warning for organizations to patch these vulnerabilities promptly and reinforce their security measures against the evolving tactics of threat actors like DEV-0950.