A ransomware group exploited known vulnerabilities in the popular PaperCut print management software in order to target school facilities.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the group self-identified as the Bl00dy Ransomware Gang exploited education facilities' vulnerable PaperCut servers in May. This subsector of the government facilities space includes pre-kindergarten through 12th grade school facilities (owned both by government and private-sector entities), as well as higher education institutions and business and trade schools.
Though PaperCut issued patches in March for the critical-severity (CVE-2023-27350) and high-severity (CVE-2023-27351) flaws, its software is utilized by over 100 million users at 89,000 companies globally, and many of those organizations have not yet applied the patches and remain vulnerable to attack. According to CISA the education facilities subsector entities maintained 68 percent of exposed U.S.-based PaperCut servers (though of note, these servers are not necessarily vulnerable).
“In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet,” according to CISA’s Thursday advisory. “Ultimately, some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files.”
The flaws, which exist in certain versions of PaperCut’s two print management solutions, PaperCut NG and PaperCut MF, allow unauthenticated attackers to execute malicious code remotely without credentials. In the incidents involving education facilities, attackers downloaded and executed legitimate remote management and maintenance software on victim systems using commands that were issued through PaperCut’s print scripting interface. The group also sought to avoid detection by using external network communications via Tor from inside victim networks, masking their malicious network traffic.
“The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed,” according to CISA.
CISA Director Jen Easterly said that due to collaboration with multiple private-sector partners, CISA was able to notify 43 educational entities that they were running vulnerable PaperCut instances, and notify 31 additional organizations of active exploitation on their networks.
The ransomware group joins several threat groups that have descended on the PaperCut flaws. In April, Microsoft attributed some of the activity to a Clop affiliate, which it tracks as DEV-0950, and said the group incorporated PaperCut exploits in their attacks as early as April 13. Earlier this week, Microsoft also reported that Iranian state-sponsored threat actors were targeting the flaws.
Two proof of concept exploits have also been publicly revealed for achieving remote code execution in vulnerable PaperCut software, including a method employing the use of the print scripting interface to execute shell commands and one leveraging the User/Group Sync interface to execute a living-off-the-land attack.
CISA did not specify which education facilities were specifically impacted. However, school districts and higher education institutions have been a common target for ransomware actors like Vice Society over the past few years. The education space struggles with several security challenges including a lack of expertise around basic cybersecurity hygiene and a lack of funding to designate toward security priorities like patch management.
CISA urged organizations to upgrade their PaperCut software to the latest version. If organizations cannot immediately patch, they are encouraged to make sure vulnerable PaperCut servers aren’t accessible over the internet.
“FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this [cybersecurity advisory],” said CISA. “If potential compromise is detected, organizations should apply the incident response recommendations included in this [cybersecurity advisory].”