US cyber security and intelligence agencies have warned of attacks carried out by a threat actor known as Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the country’s educational facilities sector.
The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued on Thursday.
“The Bl00dy Ransomware Gang gained access to victim networks in the educational facilities subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the Internet,” the agencies said.
“Ultimately, some of these operations led to data exfiltration and encryption of victims’ systems. The Bl00dy Ransomware Gang left ransom notes on victims’ systems demanding payment in exchange for decrypting encrypted files “.
CVE-2023-27350 is a critical security flaw now affecting some versions of PaperCut MF and NG that allows a remote actor to bypass authentication and perform remote code execution on the following affected installations.
Malicious exploitation of the vulnerability has been seen since mid-April 2023, with attacks primarily weaponizing it to deploy legitimate Remote Management and Maintenance (RMM) software and using the tool to drop additional payloads such as Cobalt Strike Beacons, DiceLoader and TrueBot in danger. systems
The disclosure comes as cybersecurity firm eSentire discovered new activity targeting an unnamed customer in the education sector that involved exploiting CVE-2023–27350 to bring down an XMRig cryptocurrency miner.
Iranian state-sponsored threat groups have also deployed attacks against print management servers PaperCut, Mango Sandstorm (aka MuddyWater or Mercury) and Mint Sandstorm (aka Phosphorus), Microsoft revealed this week past
The “Bl00dy” ransomware gang has been wreaking havoc on the education sector with a critical vulnerability in PaperCut, leaving thousands of students and staff throughout the world without their data and potentially putting them at risk. The attack, which occurred in May 2021, is believed to have leveraged a zero-day exploit that caused havoc to educational printing systems.
Ikaroa, a full stack tech company, aims to provide complete cyber-security solutions tailored to educational institutions. To tackle the situation, we have assembled our team of experts and started to put together a game plan to combat this attack, bringing clarity and order to the chaos.
The most effective strategy is to first start with the root cause of the issue, patching the vulnerable system components, and then move to contain the attack and mitigate the already existing damage. Our technicians are currently looking into the issue and assessing what network and system changes may be necessary to seal off the vulnerability.
We have already started working to create a comprehensive disaster recovery plan and have provided guidance to the affected educational institutions to ensure that their affected systems are patched as quickly and thoroughly as possible.
We have a long road ahead of us to thoroughly protect and secure the educational sector against attacks like this in the future. Ikaroa is committed to providing cutting-edge security solutions to institutions so that they can properly protect their data and their networks. We are confident that through investing in security technologies, the educational sector will be better prepared to respond to threats of this magnitude and remain resilient against cyber threats.