Bl00dy Gang Ransomware Attacks Education Sector with Critical PaperCut Vulnerability
US cybersecurity and intelligence agencies have warned about attacks being carried out by known threat actors as Bl00dy Ransomware Gang an attempt to exploit the vulnerable PaperCut servers of the country’s education facilities sector.
The attack occurred in early May 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday.
“The Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Sub-Sector where PaperCut servers were vulnerable to CVE-2023-27350 exposed to the internet,” the agency said.
“Ultimately, some of these operations lead to data exfiltration and encryption of victims’ systems. The Bl00dy Ransomware Gang leaves ransom notes on victims’ systems demanding payment in exchange for decryption of encrypted files.”
CVE-2023-27350 is a now patched critical security flaw affecting some versions of PaperCut MF and NG allowing remote actors to bypass authentication and perform remote code execution on the following affected installations.
Malicious exploits of the vulnerability have been observed since mid-April 2023, with attacks primarily weaponizing it to deploy legitimate remote management and maintenance (RMM) software and use those tools to drop additional payloads such as Cobalt Strike Beacons, DiceLoader, and TrueBot on the compromised system.
The reveal comes as cybersecurity company eSentire excavated new activity targeting an unnamed education sector customer involving the exploit CVE-2023–27350 to take down cryptocurrency miner XMRig.
Attacks against PaperCut’s print management servers have also been used by Iranian state-sponsored threat groups Mango Sandstorm (aka MuddyWater or Mercury) and Mint Sandstorm (aka Phosphorus), Microsoft revealed last week.