The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory to alert organizations, particularly in the education sector, about the Bl00dy Ransomware gang's active exploitation of the PaperCut remote-code execution vulnerability, CVE-2023-27350. The education sector has a significant public exposure to this flaw.
"In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet," reads the security advisory. "Ultimately, some of these operations led to data exfiltration and encryption of victim systems."
CVE-2023-27350 is a critical-severity remote code execution (RCE) weakness affecting PaperCut MF and PaperCut NG, printing management software used by approximately 70,000 organizations in over 100 countries. The vulnerability has been actively exploited since at least April 18, 2023, roughly a month after its public disclosure in March. Although the vulnerability was fixed in PaperCut NG and MF versions 20.1.7, 21.2.11, and 22.0.9, many organizations have been slow to install the update, leaving them vulnerable to attacks.
Earlier this week, Microsoft reported that Iranian hacking groups, including the state-sponsored 'Muddywater', have also been exploiting CVE-2023-27350 to bypass user authentication and achieve remote execution on their targets. The availability of proof-of-concept (PoC) exploits for the PaperCut flaw, some of which are less detected, further increases the risk for organizations. CISA states that the Education Facilities subsector accounts for about 68% of the internet-exposed PaperCut servers, but the number of unpatched and vulnerable endpoints remains unknown.
Recent Bl00dy ransomware attacks have been successful against some targets in the education sector, leveraging CVE-2023-27350 to bypass user authentication and access servers as administrators. This access is then used to spawn new 'cmd.exe' and 'powershell.exe' processes with the same high privileges, allowing the attackers to gain remote access to the device and use it as a launchpad to spread laterally through the network. During this time, the ransomware actors exfiltrate data and encrypt target systems, leaving notes demanding payment in exchange for a working decryptor and the promise not to publish or sell the stolen data.
The Bl00dy ransomware operation, which began in May 2022, uses an encryptor based on the leaked LockBit source code instead of developing its own software. The group has also been observed using encryptors based on leaked source code from Babuk and Conti. CISA's bulletin provides complete details of signs of exploitation left on targeted servers, network traffic signatures, and child processes that should be monitored to help organizations stop these attacks. However, the recommended action remains to apply the available security updates on PaperCut MF and NG servers, which addresses all security gaps exploited by the threat actors.