US cybersecurity and intelligence agencies have issued a joint advisory warning about a series of attacks carried out by a group called the Bl00dy Ransomware Gang. The education facilities sector of the country got affected due to direct attacks from the attackers. They exploited vulnerable PaperCut servers of the United States in their most recent attack in May 2023.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said the group gained access to victim networks by exploiting CVE-2023-27350, a critical security flaw that affected some versions of PaperCut MF and NG, allowing remote actors to bypass authentication and execute code remotely on vulnerable installations. The group ultimately exfiltrated data and encrypted victim systems, leaving ransom notes on compromised systems demanding payment in exchange for decryption of encrypted files.
“The Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Ultimately, some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files.”
The exploitation of CVE-2023-27350 has been observed since mid-April 2023, with attackers using the vulnerability to deploy legitimate remote management and maintenance (RMM) software to drop additional payloads such as Cobalt Strike Beacons, DiceLoader, and TrueBot on compromised systems.
A recent report from cybersecurity firm eSentire revealed new activity targeting an unnamed education sector customer that involved the exploitation of CVE-2023–27350 to drop an XMRig cryptocurrency miner.
The disclosure of these attacks comes after Microsoft reported that Iranian state-sponsored threat groups Mango Sandstorm (aka MuddyWater or Mercury) and Mint Sandstorm (aka Phosphorus) have also deployed attacks against PaperCut print management servers. The US agencies have urged organizations in the education facilities sector to take immediate action to patch their PaperCut servers and implement necessary security measures to prevent similar attacks.
