The education sector has been struck by a critical vulnerability known as the “PaperCut” exploit, utilized by the Bl00dy Ransomware Gang. As a result, U.S. cybersecurity and intelligence organizations have issued alerts regarding the recent attacks on educational facilities within the country. The Bl00dy Ransomware Gang specifically targets weak PaperCut servers as part of their malicious activities.
On Thursday, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity alert stating that the attacks occurred at the beginning of May 2023.
According to the authorities, “The Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers were exposed to the internet and vulnerable to CVE-2023-27350.”
As a result of these actions, victim systems were encrypted, and data was exfiltrated. Additionally, the Bl00dy Ransomware Gang issued ransom notes on the affected computers, demanding payment in exchange for the decryption of the encrypted contents.
In an additional effort to mask their malicious traffic and avoid detection, the Bl00dy Ransomware Gang allegedly leveraged TOR and other proxies within victim networks for external connections.
According to the authorities, “The Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers were exposed to the internet and vulnerable to CVE-2023-27350.”
As a result of these actions, victim systems were encrypted, and data was exfiltrated. Additionally, the Bl00dy Ransomware Gang issued ransom notes on the affected computers, demanding payment in exchange for the decryption of the encrypted contents.
In an additional effort to mask their malicious traffic and avoid detection, the Bl00dy Ransomware Gang allegedly leveraged TOR and other proxies within victim networks for external connections.
The disclosure of this information coincides with the discovery by cybersecurity company eSentire of new malicious activity directed at an unnamed education sector client. The attackers are exploiting the CVE-2023-27350 vulnerability to deliver an XMRig cryptocurrency miner.
Last week, Microsoft revealed that Iranian state-sponsored threat groups Mango Sandstorm (also known as MuddyWater or Mercury) and Mint Sandstorm (also known as Phosphorus) have recently initiated attacks targeting PaperCut print management services.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.