Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability
Cyber Security Threat Summary:
“U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country. The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday. ‘The Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet…ultimately, some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files the agencies said” (The Hacker News, 2023).
Security Officer Comments:
CVE-2023-27350 relates to authentication bypass on affected installations of PaperCut NG 22.0.5 and could allow remote actors to conduct remote code execution on vulnerable instances. Since mid-April 2023, attackers have been exploiting the flaw in attacks in the wild to deploy various tools (Remote management maintenance software such as Atera and Syncro) and payloads including Cobalt Strike Beacons, DiceLoader, and TrueBot. Ever since a POC was released for CVE-2023-27350 by Horizon3, there has been a surge in exploitation attempts. According to Microsoft, several groups including Mango Sandstorm, Mint Sandstorm, and Lace Temptest have been observed leveraging the flaw to target unpatched systems. Lace Temptest in particular was seen utilizing the flaw to deploy Clop and LockBit ransomware payloads.
Suggested Correction(s):
The vulnerability has fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. Administrators unable to promptly patch their PaperCut servers should take measures to prevent remote exploitation including: blocking all traffic to the web management port (default port 9191) from external IP addresses on an edge device, as well as blocking all traffic to the same port on the server's firewall to restrict management access solely to the server and prevent potential network breaches.
Link(s):
https://thehackernews.com/2023/05/bl00dy-ransomware-gang-strikes.html