U.S. Agencies Warn of Bl00dy Ransomware Gang Targeting Education Facilities U.S. cybersecurity and intelligence agencies have issued a joint advisory warning about the Bl00dy Ransomware Gang targeting the education facilities sector. The gang exploited vulnerable PaperCut servers using a critical security flaw (CVE-2023-27350) to gain unauthorized access.
The attacks, occurring in early May 2023, resulted in data exfiltration and encryption of victim systems, with ransom notes demanding payment for file decryption. The exploitation of the vulnerability has been observed since mid-April, with additional payloads like Cobalt Strike Beacons and TrueBot being deployed.
This advisory follows the discovery of a new activity by eSentire, where an education sector customer was targeted using CVE-2023-27350 to drop an XMRig cryptocurrency miner. The vulnerability allows remote code execution and bypasses authentication on vulnerable installations of PaperCut MF and NG.
Iranian state-sponsored threat groups Mango Sandstorm and Mint Sandstorm have also deployed attacks against PaperCut print management servers, as revealed by Microsoft last week.
The coordinated warning aims to raise awareness and urge organizations to patch the critical security flaw to protect against these targeted attacks.
