The “Bl00dy” ransomware gang has been targeting unpatched instances of PaperCut NG and PaperCut MF in the education sector, according to a joint security advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released on Thursday. Print management software vendor PaperCut had already patched CVE-2023-27350, a critical remote code execution vulnerability affecting the vendor’s MF and NG print management products, in March this year. However, unpatched servers began facing widespread exploitation last month, with PaperCut receiving its first report of exploitation on April 18, and Microsoft attributing some recent attacks to the Clop ransomware gang. CVE-2023-27350 affects MF and NG versions 8.0.0 to 19.2.7, 20.0.0 to 20.1.6, 21.0.0 to 21.2.10, and 22.0.0 to 22.0.8.
CISA and the FBI issued the joint security advisory with vulnerability and patch details, as well as workarounds to lock down network access to vulnerable servers and indicators of compromise. The support page urges customers to update their instances to a fixed version, which includes 20.1.7, 21.2.11, and 22.0.9 and later. Exploitation efforts have since escalated, with CISA’s joint security advisory detailing a ransomware campaign first noticed by the Bl00dy ransomware gang in early May. According to the advisory, the Bl00dy ransomware gang targets the education facilities subsector, which the U.S. Department of Homeland Security defines as prekindergarten through 12th grade plus postsecondary school education facilities.
Education is a particularly popular target for ransomware gangs, although schools rarely pay the ransom. Despite the likelihood that the victims will not pay the ransom, the Bl00dy ransomware gang has still chosen to target the education sector using tactics such as double-extortion attacks, in which victims face both encryption and the threat of stolen data being publicly published. Bl00dy employs various tools such as legitimate remote management and maintenance software and command and control tools such as Cobalt Strike Beacons, DiceLoader, and TrueBot. According to a blog post by threat intelligence vendor Cyble, Bl00dy emerged last July with the creation of a dedicated Telegram account. It began publishing victim data on Telegram in August rather than dark web leak sites usually deployed by ransomware gangs.
PaperCut lead solutions architect David O’Hara noted the CISA advisory was “very well done” and that the company is “currently focused on supporting our customers and making sure they have our full attention.” According to the CISA warning, the detections the agency provided may not be airtight against more advanced CVE-2023-27350 exploits because threat actors “are known to adapt exploits to circumvent rule-based detections formulated for the original iterations of exploits observed in the wild.”
The education subsector entities maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers, according to the advisory. Early this month, the Bl00dy Ransomware Gang obtained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet, leading to data exfiltration and encryption of victim systems.
In conclusion, the Bl00dy ransomware gang has been targeting unpatched instances of PaperCut NG and PaperCut MF in the education sector in a ransomware campaign that had initially been detected in early May. This joint security advisory from CISA and the FBI urges customers to update their instances to the fixed version, as unpatched servers began facing widespread exploitation last month. Education is a highly popular target for ransomware gangs that employ various tactics, such as double-extortion attacks, on their victims. Although victims typically do not pay the ransom, ransomware gangs like Bl00dy still choose to target them.