The FBI and Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released a joint advisory warning that a critical vulnerability in PaperCut servers is being actively exploited by ransomware actors to target education facilities.
The critical bug — rated a 9.8 out of 10 for severity by the Common Vulnerability Scoring System — allows for unauthenticated remote code execution and occurs in certain versions of PaperCut NG and PaperCut MF.
PaperCut released a patch in March 2023, but according to the FBI, a group calling themselves the Bl00dy Ransomware Gang have been observed using it in attacks starting in mid-April and continuing to the present day. The joint advisory offers detection methods for exploitation as well and indicators of compromise (IOCs) associated with Bl00dy Ransomware Gang activity.
Both the FBI and CISA encourage organizations that did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in the advisory. If potential compromise is detected, organizations should apply the incident response recommendations from the FBI and CISA.
In late April, SC Media reported that nearly 1,800 internet-exposed servers had been compromised via the PaperCut vulnerability to facilitate the installation of Atera and Syncro remote management and maintenance software hosted in a domain that was previously used to host the TrueBot malware. TrueBot has been tied to the Russian threat operation Silence, which is linked to Evil Corp and the TA505 threat cluster, a report from Huntress revealed.
Shawn Surber, senior director and technical account management at Tanium, said organizations in the education sector should be tracking more than IoCs, they should also build detections based on the group's known behaviors.
“In this case, given detection methods call out looking for child processes spawned from pc-app.exe and modifications to PaperCut server settings,” said Surber. “Impacted organizations under similar circumstance should look to behavioral — based malicious activity in addition to traditional signature-based security.”
State, local and educational institutions are often in the sweet spot for ransomware activities given their historic security postures and propensity to pay out, said Zach Hanley, chief attack engineer at Horizon3.ai. The PaperCut vulnerability functions as a perfect storm for threat actors if an organization exposes it to the internet, allowing for code execution and access to the internal network.
“This highly privileged role allows attackers to dump the credentials stored on the system from several subsystems like LSASS, LSA, and SAM,” said Hanley. “The dumped credentials then let the attacker laterally move and pivot around the enterprise as a legitimate user.”