The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that a critical flaw found in PaperCut software is linked to a series of ransomware attacks.
A vulnerability (CVE-2023-27350) in PaperCut, a widely adopted print management solution, allows cybercriminals to remotely execute malicious code without the need for authentication credentials.
As a result, these attackers successfully deployed ransomware and illegally accessed sensitive data.
More information about this vulnerability can be found here: Microsoft Blames Clop Affiliates in PaperCut Attack
In response to the growing threat, CISA and the Federal Bureau of Investigation (FBI) released advisories on Thursday warning users to take immediate action to mitigate the risks.
“According to information observed by the FBI, malicious actors have been exploiting CVE-2023-27350 since mid-April 2023 and have continued to date,” the technical document states.
The FBI reported that in early May 2023, the educational facilities subsector became a prime target for the Bl00dy ransomware gang. The group specifically aimed to exploit vulnerable PaperCut servers within the subsector to cause data exfiltration, system encryption and ransom demands.
“The Bl00dy ransomware gang left a ransom note on victims’ systems demanding payment in exchange for decryption of encrypted files.”
The joint advisory provides exploit detection methods for CVE-2023-27350 and indicators of compromise (IOCs) related to the activities of the Bl00dy Ransomware Gang.
The FBI and CISA strongly recommended that users and administrators apply the patch immediately or apply a workaround if the patch cannot be applied. Government agencies, in particular, encourage organizations that did not patch immediately to assume a security breach and use the advisory’s detection signatures to track malicious activity.
When a potential compromise is detected, organizations should apply the incident response recommendations contained in the document.
The document’s publication comes months after the FBI issued a statement regarding a cyber incident that occurred at one of its most high-profile field offices.
