Education Sector Facing Serious Threat from Bl00dy Ransomware Gang Exploiting PaperCut Vulnerability
Leading U.S. cybersecurity and intelligence agencies have issued a warning regarding a significant cyber threat posed by the Bl00dy Ransomware Gang. This notorious threat actor has targeted the education facilities sector in the country by exploiting vulnerable PaperCut servers. The attacks occurred in early May 2023 and were highlighted in a joint cybersecurity advisory from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
According to the advisory, the Bl00dy Ransomware Gang gained unauthorized access to victim networks in the Education Facilities Subsector, specifically targeting PaperCut servers that were exposed to the internet and susceptible to the CVE-2023-27350 vulnerability.
As a result of these attacks, victim systems experienced data exfiltration and encryption. The perpetrators left ransom notes on the compromised systems, demanding payment in exchange for decrypting the encrypted files. To further evade detection, the Bl00dy actors employed TOR and other proxies within the victim networks, masking their malicious activities and communications.
CVE-2023-27350 is a critical security flaw that affected certain versions of PaperCut MF and NG. It allowed remote actors to bypass authentication and execute remote code on vulnerable systems. The impacted installations include versions 8.0.0 to 19.2.7, 20.0.0 to 20.1.6, 21.0.0 to 21.2.10, and 22.0.0 to 22.0.8.
The cybercriminals began exploiting this vulnerability in mid-April 2023. They primarily utilized it to deploy legitimate remote management and maintenance (RMM) software, which served as a gateway for delivering additional malicious payloads like Cobalt Strike Beacons, DiceLoader, and TrueBot to compromised systems.
In a separate incident, cybersecurity firm eSentire uncovered new activity targeting an education sector customer. The attackers exploited CVE-2023-27350 to deploy an XMRig cryptocurrency miner.
These attacks are not isolated incidents. Microsoft recently disclosed that Iranian state-sponsored threat groups, Mango Sandstorm (also known as MuddyWater or Mercury) and Mint Sandstorm (also known as Phosphorus), have also targeted PaperCut print management servers.
Given the continuous targeting of the education sector by cybercriminals, it is crucial for organizations to take immediate action to secure their systems. This includes applying necessary patches, strengthening network defenses, and implementing robust security measures to mitigate the risk of future attacks.
To protect your institution against these threats, Armoryze offers managed security services tailored as per your business and security requirements. Our team of experts can guide you through the process of securing your systems, identifying vulnerabilities, and implementing effective security measures. Don't wait until it's too late – schedule a free consultation with our experts today to ensure the safety of your organization.