US cybersecurity and intelligence agencies have warned of an attack by a threat actor known as “. Bl00dy ransomware gang It attempts to exploit a vulnerable PaperCut server against the domestic educational facilities sector.
The attack occurred in early May 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday.
“The Bl00dy ransomware gang accessed victim networks across the education subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet,” the agency said.
“Ultimately, some of these operations led to data exfiltration and encryption of victim systems. was left on the victim system.”
CVE-2023-27350 is a critical security flaw affecting some versions of PaperCut MF and NG and is currently being patched. This allows remote attackers to bypass authentication and execute remote code on affected installations of:
Malicious exploitation of this vulnerability has been observed since mid-April 2023, primarily weaponized by deploying legitimate remote management and maintenance (RMM) software and using that tool to commit a compromise. Attacks drop additional payloads such as Cobalt Strike Beacon, DiceLoader, and TrueBot on compromised computers. system.
This disclosure follows cybersecurity firm eSentire’s discovery of new activity targeting an anonymous education industry customer involving the exploitation of CVE-2023-27350 to drop the XMRig cryptocurrency miner. was broken.
Attacks against PaperCut print management servers are also being deployed by Iranian state-sponsored threat groups Mango Sandstorm (aka MuddyWater or Mercury) and Mint Sandstorm (aka Phosphorus), Microsoft revealed last week.
