Lucene search

K
thnThe Hacker NewsTHN:DACFF45926CFB4D006F537C835A3EE55
HistoryMay 12, 2023 - 7:59 a.m.

Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability

2023-05-1207:59:00
The Hacker News
thehackernews.com
78

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.942 High

EPSS

Percentile

98.7%

Bl00dy Ransomware

U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country.

The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday.

“The Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet,” the agencies said.

“Ultimately, some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files.”

Additionally, the Bl00dy actors are said to have used TOR and other proxies from within victim networks for external communications in an attempt to mask malicious traffic and avoid detection.

CVE-2023-27350 is a now-patched critical security flaw affecting some versions of PaperCut MF and NG that enables a remote actor to bypass authentication and conduct remote code execution on the following affected installations: 8.0.0 to 19.2.7, 20.0.0 to 20.1.6, 21.0.0 to 21.2.10, and 22.0.0 to 22.0.8.

Malicious exploitation of the vulnerability has been observed since mid-April 2023, with attacks primarily weaponizing it to deploy legitimate remote management and maintenance (RMM) software and use the tool to drop additional payloads such as Cobalt Strike Beacons, DiceLoader, and TrueBot on compromised systems.

The disclosure comes as cybersecurity firm eSentire unearthed new activity targeting an unnamed education sector customer that involved the exploitation of CVE-2023-27350 to drop an XMRig cryptocurrency miner.

Attacks against PaperCut print management servers have also been deployed by Iranian state-sponsored threat groups Mango Sandstorm (aka MuddyWater or Mercury) and Mint Sandstorm (aka Phosphorus), Microsoft revealed last week.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.942 High

EPSS

Percentile

98.7%

Related for THN:DACFF45926CFB4D006F537C835A3EE55