The FBI and CISA issued a joint advisory to warn that the Bl00dy Ransomware gang is now also actively exploiting a PaperCut remote-code execution vulnerability to gain initial access to networks.
The U.S. Cybersecurity & Infrastructure Security Agency mentions that the threat actor has focused their attacks on the education sector, which has a significant public exposure of the flaw.
“In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet,” reads the security advisory
“Ultimately, some of these operations led to data exfiltration and encryption of victim systems.”
The PaperCut flaw is tracked as CVE-2023-27350 and is a critical-severity remote code execution (RCE) weakness impacting PaperCut MF and PaperCut NG, printing management software used by roughly 70,000 organizations in over 100 countries.
The vulnerability has been under active exploitation since at least April 18, 2023, about a month after its public disclosure in March.
While the vulnerability was fixed in PaperCut NG and MF versions 20.1.7, 21.2.11, and 22.0.9, organizations have been slow to install the update, allowing exposure to attacks.
Microsoft also reported earlier this week that Iranian hacking groups, including the state-sponsored ‘Muddywater’, have joined the exploitation of CVE-2023-27350 to bypass user authentication and achieve remote execution on their targets.
Unfortunately, the availability of proof-of-concept (PoC) exploits for the PaperCut flaw, some of which are less detected, raises the risk for organizations even more.
Bl00dy vs. Education
CISA says the Education Facilities subsector is responsible for about 68% of the internet-exposed PaperCut servers. However, the number of unpatched and thus vulnerable endpoints is still unknown.
The Bl00dy ransomware attacks observed recently were successful against some targets in the sector, leveraging CVE-2023-27350 to bypass user authentication and access the server as administrators.
This access was then used to spawn new ‘cmd.exe’ and ‘powershell.exe’ processes with the same high privileges to gain remote access to the device and use it as a launchpad to spread laterally through the network.
During this time, the ransomware actors steal data and encrypt the target systems, leaving notes demanding payment in exchange for a working decryptor and the promise not to publish or sell the stolen data.
Sample of the ransom note dropped in the recent Bl00dy attacks (CISA)
The Bl00dy ransomware operation launched in May 2022 and uses an encryptor based on the leaked LockBit source code rather than developing their own software.
They have also been seen using encryptors based on leaked source code from Babuk [VirusTotal] and Conti [VirusTotal].
CISA’s bulletin provides full details of signs of exploitation left on targeted servers, network traffic signatures, and child processes that should be monitored to help organizations stop these attacks.
However, the recommended action is still to apply the available security updates on PaperCut MF and NG servers, which addresses all security gaps exploited by the threat actors.