FBI and CISA Alert on the Bl00dy PaperCut Vulnerability Exploit


May 16, 2023

World map

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint Cybersecurity Advisory (CSA) alerting organizations – particularly those in the Education sector - about the ongoing mass exploitation of CVE-2023-27350.  

This vulnerability, for which a patch has been available since March, is present in some versions of PaperCut NG and PaperCut MF and can allow threat actors to engage in unauthenticated remote code execution.

Threat actors identified as the Bl00dy Ransomware Gang in the alert have been observed exploiting vulnerable PaperCut servers since as early as April, the report states. By late April, it was reported that nearly 1,800 internet-exposed servers had been compromised.

“In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Ultimately, some of these operations led to data exfiltration and encryption of victim systems,” according to the alert.

"FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA. “If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.”

Takeaway: So how do ransomware operators compromise thousands of servers in a matter of a few weeks? They are increasingly automating exploitation of known vulnerabilities en masse, and the huge increase in the volume of attacks observed in early 2023 is evidence of this latest trend.

March of 2023 was the most prolific month so far for the sheer volume of ransomware attacks observed, with research indicating there were 459 successful attacks, up 91% from February volume and up 62% year-over-year.

Threat actors are getting better at taking advantage of unpatched vulnerabilities and misconfigurations by automating aspects of their attack progressions. Automation means ransomware operators can simply hit more victims faster.

For example, hundreds of organizations have been hit by the Cl0p ransomware gang this year as they continue to exploit a known vulnerability in the GoAnywhere software. We are also seeing signs of automation is attacks exploiting a similar vulnerability in IBM Aspera Faspex. ‍

In early April, researchers published analysis of a new semi-autonomous ransomware strain dubbed Rorschach that was noted for its automation, fast encryption speed, and stealthy DLL side-loading for security evasion and persistence.

Later in April, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang also developed two new custom data exfiltration tools.

These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion. This ingress and lateral movement on the targeted network usually takes a good amount of time, so automating these aspects of the attack sequence allows threat actors to compromise more targets faster.

Some of these automated techniques and attack tooling are extremely difficult to detect and are more typical of APT-type operations.

Timely patching of vulnerabilities – both old and new - is something all organizations should prioritize to prevent exploitation. These attackers are out there somewhere scanning for any opening they can find.

Patching can be difficult in some circumstances and take time, but there is no excuse for organizations to be unaware that they need to patch a known vulnerability. Attackers are automating the discovery and exploitation of these vulnerable systems, so organizations should have processes in place to understand if they are exposed. There is really no reason for them to be caught off guard.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.