Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



CISA, FBI: Ransomware Gang Exploited PaperCut Flaw Against Education Facilities

CISA and FBI have observed a ransomware gang exploiting a recent PaperCut vulnerability in attacks targeting the education facilities subsector.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have raised the alarm on a recent PaperCut vulnerability being exploited in ransomware attacks targeting the education sector.

Described as an improper access control issue in the PaperCut MF/NG print management system and tracked as CVE-2023-27350 (CVSS score of 9.8), the flaw allows remote, unauthenticated attackers to bypass authentication and execute arbitrary code on vulnerable devices, with System privileges.

The vulnerability was identified in PaperCut MF and NG versions 8.0 and later and was addressed in March 2023 with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9.

Unpatched PaperCut servers have been targeted in malicious attacks since mid-April, with the Cl0p ransomware operator and Iranian state-sponsored threat actors seen exploiting the flaw.

Now, CISA and the FBI say that the Bl00dy ransomware gang was observed in early May 2023 attempting to exploit CVE-2023-27350 in attacks targeting the education facilities subsector.

According to the US government agencies, roughly 68% of the internet-exposed PaperCut servers in the US are maintained by the education facilities subsector. However, not all these servers are necessarily vulnerable.

The Bl00dy ransomware group, the two agencies say, has exploited unpatched PaperCut servers to gain access to victims’ networks, exfiltrate data, and encrypt systems.

Advertisement. Scroll to continue reading.

As part of the attacks, the threat actor exploited the PaperCut installations to deploy and execute legitimate remote management and maintenance (RMM) software and used the Tor network and other proxies to hide malicious network traffic.

Furthermore, CISA and the FBI also discovered that the ransomware gang downloaded and executed malware such as DiceLoader, TrueBot, and Cobalt Strike beacons.

CISA and the FBI have published indicators of compromise (IoCs), network signatures, and other rule-based detections to help organizations determine whether they have been compromised, but warn that these detections might not be enough, as attackers are known to adapt existing exploits to circumvent detections.

Monitoring system processes and reviewing the PaperCut server options to identify unknown print scripts should also help detect malicious activity related to this vulnerability.

“FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity,” the agencies note.

Related: Huntress: Most PaperCut Installations Not Patched Against Already-Exploited Security Flaw

Related: Dragos Says Ransomware Gang Accessed Limited Data but Failed at Extortion Scheme

Related: Ransomware Group Claims Attack on Constellation Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.


The City of Oakland has disclosed a ransomware attack that impacted several non-emergency systems.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The personal and health information of more than 3.3 million individuals was stolen in a ransomware attack at Regal Medical Group.