Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

CISA, FBI: Ransomware Gang Exploited PaperCut Flaw Against Education Facilities

CISA and FBI have observed a ransomware gang exploiting a recent PaperCut vulnerability in attacks targeting the education facilities subsector.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have raised the alarm on a recent PaperCut vulnerability being exploited in ransomware attacks targeting the education sector.

Described as an improper access control issue in the PaperCut MF/NG print management system and tracked as CVE-2023-27350 (CVSS score of 9.8), the flaw allows remote, unauthenticated attackers to bypass authentication and execute arbitrary code on vulnerable devices, with System privileges.

The vulnerability was identified in PaperCut MF and NG versions 8.0 and later and was addressed in March 2023 with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9.

Unpatched PaperCut servers have been targeted in malicious attacks since mid-April, with the Cl0p ransomware operator and Iranian state-sponsored threat actors seen exploiting the flaw.

Now, CISA and the FBI say that the Bl00dy ransomware gang was observed in early May 2023 attempting to exploit CVE-2023-27350 in attacks targeting the education facilities subsector.

According to the US government agencies, roughly 68% of the internet-exposed PaperCut servers in the US are maintained by the education facilities subsector. However, not all these servers are necessarily vulnerable.

The Bl00dy ransomware group, the two agencies say, has exploited unpatched PaperCut servers to gain access to victims’ networks, exfiltrate data, and encrypt systems.

As part of the attacks, the threat actor exploited the PaperCut installations to deploy and execute legitimate remote management and maintenance (RMM) software and used the Tor network and other proxies to hide malicious network traffic.

Advertisement. Scroll to continue reading.

Furthermore, CISA and the FBI also discovered that the ransomware gang downloaded and executed malware such as DiceLoader, TrueBot, and Cobalt Strike beacons.

CISA and the FBI have published indicators of compromise (IoCs), network signatures, and other rule-based detections to help organizations determine whether they have been compromised, but warn that these detections might not be enough, as attackers are known to adapt existing exploits to circumvent detections.

Monitoring system processes and reviewing the PaperCut server options to identify unknown print scripts should also help detect malicious activity related to this vulnerability.

“FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity,” the agencies note.

Related: Huntress: Most PaperCut Installations Not Patched Against Already-Exploited Security Flaw

Related: Dragos Says Ransomware Gang Accessed Limited Data but Failed at Extortion Scheme

Related: Ransomware Group Claims Attack on Constellation Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.

Ransomware

Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Ransomware

Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.