Ransomware Group Targeting Education Orgs Using PaperCut Bug

According to a joint advisory issued by the FBI and CISA, the Bl00dy Ransomware group is currently exploiting a PaperCut remote-code execution vulnerability to obtain initial access to networks. The United States Cybersecurity and Infrastructure Security Agency mentioned that threat actors are focusing their attacks on the education sector, which has a high public exposure of the flaw. Based on FBI information, the Bl00dy Ransomware group gained access to victims’ networks across the Education Facilities Subsector in early May 2023, where PaperCut servers were exposed to the CVE-2023-27350 vulnerability on the internet. Some of the operations can result in data exfiltration and system encryption victims. 

The PaperCut bug, CVE-2023-27350, is a critical-severity remote code execution (RCE) vulnerability that affects PaperCut MF and PaperCut NG, printing management software used by about 70,000 companies in over 100 countries. Since April 18, 2023, the vulnerability has been exploited for roughly a month after being made public in March. Even though the vulnerability was addressed in PaperCut NG and MF versions 20.1.7, 21.2.11, and 22.0.9, companies were slow to install the update, leaving them vulnerable to attacks. It was reported that Iranian threat operating groups, including the state-sponsored “Muddywater” are using CVE-2023-27350 to bypass user authentications and execute remote code on their targets. However, the existence of proof-of-concept (PoC) exploits for the PaperCut flaw; some are less detectable, increasing the risk for companies even further.

According to CISA, the Education Facilities subsector accounts for around 68% of the internet-exposed PaperCut servers. On the other hand, the number of unpatched and consequently vulnerable endpoints remains unclear. The latest Bl00dy Ransomware attacks were effective against some targets in the sector, utilizing CVE-2023-27350 to bypass user authentications and obtain administrator access to systems. The access is used to launch additional “cmd[.]exe” and “powershell[.]exe” processes with the same high privileges gaining remote access to devices and using them to spread laterally across networks. Ransomware threat actors steal data and encrypt target systems, leaving ransom notes demanding payment in exchange for working decryptors and a pledge not to publish or sell the stolen data.

The Bl00dy ransomware operation began in May 2022, and instead of developing their own software, they employed an encryptor based on the leaked LockBit source code. Additionally, they have been utilizing encryptors based on Babuk [VirusTotal] and Conti [VirusTotal] leaked source code. CISA’s alert goes into great depth about the exploitation signs left on targeted servers, network traffic signatures, and child processes that need to be monitored to assist companies in preventing the attacks. However, the recommended action is installing all available security updates on PaperCut MF and NG servers, which addresses all security gaps threat actors exploit.

With ransomware groups utilizing vulnerabilities to exploit network systems and servers, companies should always remain alert to the current threat landscape and regularly update security patches on software and networks to prevent future exploitation. At SpearTip, our pre-breach advisory services allow certified engineers to examine posture to improve weak points within companies’ networks. We engage with companies’ people, processes, and technology to measure the maturity of the technical environments. Our experts provide technical roadmaps for all vulnerabilities uncovered, ensuring companies have the awareness and support to optimize their overall cybersecurity posture. By comparing technology and internal personnel, we discover blind spots in companies that can lead to significant compromises. We go beyond simple compliance frameworks and examine the day-to-day function of cyber within companies. This leads to critical recommendations by exposing vulnerabilities in software and their people and processes. Identifying technical vulnerabilities inside and outside of companies provides a deeper context to potential gaps in the environment.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.