The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned that the Bl00dy ransomware gang is using a recently patched PaperCut vulnerability in attacks targeting organizations in the education sector.

Tracked as CVE-2023–27350, the flaw allows a remote hacker to bypass authentication process and execute arbitrary code with SYSTEM privileges. The issue affects PaperCut MF and NG versions 8.0 and later. It was addressed by the vendor in March 2023 with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9.

Threat actors, including Clop ransomware operators and Iranian government-backed hacker groups, have been targeting vulnerable PaperCut servers since mid-April this year.

“In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet,” the two agencies said, noting that the Education Facilities subsector is responsible for nearly 68% of PaperCut internet-exposed servers, although not all of the servers are vulnerable.

In some cases, the Bl00dy ransomware attacks led to data theft and encryption of victim systems.

“According to FBI information, legitimate remote management and maintenance (RMM) software was downloaded and executed on victim systems via commands issued through PaperCut’s print scripting interface. External network communications through Tor and/or other proxies from inside victim networks helped Bl00dy Gang ransomware actors mask their malicious network traffic,” the joint security advisory said.

“The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.”

The Bl00dy ransomware gang began operating around May 2022 and have since targeted organizations using double extortion techniques. The ransomware encrypts files on the victim’s machine and appends the extension of encrypted files as “.bl00dy.” Later, a ransom note is created on the system to demand payment.

Interestingly, the group uses Telegram for publishing stolen data instead of Onion/Tor data leak sites commonly observed in ransomware operations.

Bl00dy ransomware is said to have targeted many well-known organizations across a number of industry sectors such as Consumer Goods, Healthcare, Professional Services, IT and ITES, etc.