Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Microsoft Threat Intelligence Profile picture
@MsftSecIntel
May 5 6 tweets 2 min read Twitter logo Read on Twitter
More actors are exploiting unpatched CVE-2023-27350 in print management software Papercut since we last reported on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350.
After public POCs were published for CVE-2023-27350, Mint Sandstorm & Mango Sandstorm quickly adapted the exploit in their operations to achieve initial access. This activity shows Mint Sandstorm’s continued ability to rapidly incorporate POC exploits into their operations.
The PaperCut exploitation activity by Mint Sandstorm appears opportunistic, affecting organizations across sectors and geographies. We previously reported on other Mint Sandstorm TTPs: microsoft.com/en-us/security…
Observed CVE-2023-27350 exploitation activity by Mango Sandstorm remains low, with operators using tools from prior intrusions to connect to their C2 infrastructure: microsoft.com/en-us/security…
As more threat actors begin to use this vulnerability in their attacks, organizations are strongly urged to prioritize applying the updates provided by PaperCut to reduce their attack surface: msft.it/6018gPn92
Microsoft 365 Defender detects activity related to exploitation of the PaperCut vulnerabilities. Microsoft Defender Threat Intelligence also includes a report with additional details and recommendations to defend against this threat.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Microsoft Threat Intelligence

Microsoft Threat Intelligence Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MsftSecIntel

Microsoft Threat Intelligence Profile picture
Apr 26
Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505).
Lace Tempest (DEV-0950) is a Clop ransomware affiliate that has been observed using GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. The threat actor incorporated the PaperCut exploits into their attacks as early as April 13.
In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service.
Read 6 tweets
Microsoft Threat Intelligence Profile picture
Mar 8
As a recent investigation shows, business email compromise (BEC) attacks move fast—from signing in with compromised credentials & registering domains to setting inbox rules & hijacking a thread—highlighting the need to quickly detect and disrupt malicious actions leading to BEC. Diagram showing an end-to-e...
In this attack, after signing in, attackers spent about 2 hours searching the compromised account’s mailbox for an email thread to hijack. Finding one, the attackers registered 2 homoglyph domains, one to impersonate the target org, one for a partner org relevant to the thread.
In the next 7 minutes, the attackers performed actions typical of BEC: (1) create an inbox rule to hide emails from the partner org, (2) reply to an existing conversation with a purported change in wire transfer instructions, and (3) delete the email from the Sent Items folder.
Read 5 tweets
Microsoft Threat Intelligence Profile picture
Sep 16, 2022
Microsoft researchers are tracking an ongoing wide-ranging click fraud campaign where attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices. Microsoft attributes the attack to a threat actor tracked as DEV-0796. Attack chain diagram of DEV...
This campaign begins with an ISO file that's downloaded when a user clicks malicious ads or YouTube comments. When opened, the ISO file installs a browser node-webkit (NW.js) or a browser extension. We’ve also seen the use of DMG files, indicating multi-platform activity.
To protect against this threat, Microsoft highly recommends customers to turn on PUA protection to block the installation of malicious and unwanted programs, and use Defender SmartScreen to block access to malicious download sites and attacker-controlled servers.
Read 5 tweets
Microsoft Threat Intelligence Profile picture
Jun 29, 2022
We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang. The updates include the deployment of new versions of a cryptominer and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability.
The group has actively updated its techniques and payloads over the last year. The most recent campaign targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access.
After initial access, a loader is downloaded from jira[.]letmaker[.]top. This loader evades detection by clearing log files and disabling cloud monitoring and security tools. Tamper protection capabilities in Microsoft Defender for Endpoint help protect security settings.
Read 8 tweets
Microsoft Threat Intelligence Profile picture
May 17, 2022
Microsoft recently observed a campaign targeting SQL servers that, like many attacks, uses brute force methods for initial compromise. What makes this campaign stand out is its use of the in-box utility sqlps.exe.
Defenders typically monitor the use of PowerShell in their environment. The sqlps.exe utility, which comes with all versions of SQL by default, has similar functionality and is equally worthy of increased scrutiny.
The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem. Screenshot of malware code ...
Read 6 tweets
Microsoft Threat Intelligence Profile picture
May 6, 2022
SocGholish, a malware distribution network, started updating its tradecraft toward the end of 2021 with new C2 infrastructure almost every month, additional ways to deploy Cobalt Strike, and the use of publicly available tools for discovery and credential dumping.
These campaigns led to the deployment of tools like PowerSploit, Rubeus, PowerShell Nishang modules, PrivescCheck, and SharpPack. Their notable features include the use of BLISTER loaders and tampering with legitimate DLLs where export was modified to launch Cobalt Strike.
Cobalt Strike loaders varied between signed and unsigned portable executable (PE) files and DLLs launched with rundll32. The Beacons followed a unique profile with distinct watermark, jitter, sleeptime, and werfault.exe as spawnto process.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(