The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have raised the alarm on a recent PaperCut vulnerability being exploited in ransomware attacks targeting the education sector.
Described as an improper access control issue in the PaperCut MF/NG print management system and tracked as CVE-2023-27350 (CVSS score of 9.8), the flaw allows remote, unauthenticated attackers to bypass authentication and execute arbitrary code on vulnerable devices, with System privileges.
The vulnerability was identified in PaperCut MF and NG versions 8.0 and later and was addressed in March 2023 with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9.
Unpatched PaperCut servers have been targeted in malicious attacks since mid-April, with the Cl0p ransomware operator and Iranian state-sponsored threat actors seen exploiting the flaw.
Now, CISA and the FBI say that the Bl00dy ransomware gang was observed in early May 2023 attempting to exploit CVE-2023-27350 in attacks targeting the education facilities subsector.
According to the US government agencies, roughly 68% of the internet-exposed PaperCut servers in the US are maintained by the education facilities subsector. However, not all these servers are necessarily vulnerable.
The Bl00dy ransomware group, the two agencies say, has exploited unpatched PaperCut servers to gain access to victims’ networks, exfiltrate data, and encrypt systems.
As part of the attacks, the threat actor exploited the PaperCut installations to deploy and execute legitimate remote management and maintenance (RMM) software and used the Tor network and other proxies to hide malicious network traffic.
Furthermore, CISA and the FBI also discovered that the ransomware gang downloaded and executed malware such as DiceLoader, TrueBot, and Cobalt Strike beacons.
CISA and the FBI have published indicators of compromise (IoCs), network signatures, and other rule-based detections to help organizations determine whether they have been compromised, but warn that these detections might not be enough, as attackers are known to adapt existing exploits to circumvent detections.
Monitoring system processes and reviewing the PaperCut server options to identify unknown print scripts should also help detect malicious activity related to this vulnerability.
“FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity,” the agencies note.
Related: Huntress: Most PaperCut Installations Not Patched Against Already-Exploited Security Flaw
Related: Dragos Says Ransomware Gang Accessed Limited Data but Failed at Extortion Scheme
Related: Ransomware Group Claims Attack on Constellation Software
