U.S. cybersecurity and intelligence agencies have recently issued warnings regarding the Bl00dy Ransomware Gang, a threat actor actively targeting educational institutions within the country. Their operations have capitalized on vulnerabilities in PaperCut servers, exposing these systems to significant risk.
The joint advisory from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) highlighted that these attacks occurred in early May 2023. The Bl00dy Ransomware Gang exploited weaknesses in PaperCut servers that were vulnerable to CVE-2023-27350, which had been left exposed to the internet.
According to the advisory, “The Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector,” signaling a broader trend of cybercriminals focusing on this sector. The vulnerabilities led to serious repercussions, including data exfiltration and encryption of files. The gang typically leaves ransom notes demanding payments for the decryption of affected systems.
Interestingly, the actors behind these attacks utilized TOR and other proxy networks for external communication, thereby attempting to obscure their malicious traffic and evade detection efforts. This tactic underscores a potential MITRE ATT&CK methodology, particularly concerning initial access and command and control objectives.
CVE-2023-27350, now patched, represents a critical vulnerability affecting various versions of PaperCut MF and NG. It allows remote attackers to bypass authentication mechanisms and execute code remotely, affecting installations from 8.0.0 to 22.0.8. The malicious exploitation of this flaw has been noted since mid-April 2023, with operators deploying legitimate remote management tools to facilitate further attacks, including the introduction of additional malware like Cobalt Strike Beacons and other payloads.
Compounding the situation, cybersecurity firm eSentire uncovered new activity targeting an unnamed educational institution, where CVE-2023-27350 was exploited to deploy an XMRig cryptocurrency miner. This shows a shift in focus not only on data breaches but also on the monetization of compromised systems through cryptocurrency mining.
Moreover, attacks against PaperCut print management servers have caught the attention of security experts, as Iranian state-sponsored threat groups, including Mango Sandstorm and Mint Sandstorm, have also shown interest in exploiting similar vulnerabilities. This trend indicates a broader threat landscape affecting educational institutions and the need for enhanced cybersecurity measures within this sector.