Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label PaperCut. Show all posts

Bl00dy Ransomware Targets Education Orgs via PaperCut Flaw

The Federal Bureau of Investigation (FBI) has issued a warning about the Bl00dy ransomware gang targeting educational organizations through vulnerabilities in the popular print management software, PaperCut. The cybercriminals are exploiting a critical flaw in PaperCut to gain unauthorized access and launch ransomware attacks, posing a significant threat to the education sector.

The Bl00dy ransomware gang has been actively targeting schools and other educational institutions, taking advantage of the vulnerabilities in PaperCut's software. By exploiting this flaw, the attackers can gain unauthorized access to the system and deploy ransomware, encrypting critical files and demanding a ransom for their release.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have urged educational organizations to take immediate action to address this vulnerability and strengthen their security measures. It is crucial for educational institutions to promptly update and patch their PaperCut installations to protect against potential attacks.

The Bl00dy ransomware gang's targeting of the education sector is particularly concerning as schools and colleges hold sensitive data, including student records and financial information. The impact of a successful ransomware attack can be severe, leading to significant disruptions in educational services and potential data breaches.

To defend against such attacks, educational organizations must adopt a multi-layered approach to cybersecurity. This includes regularly updating and patching software and systems, implementing robust network security measures, and conducting regular backups of critical data. Additionally, user awareness training can help educate staff and students about potential threats and how to avoid falling victim to social engineering tactics.

The FBI and CISA have emphasized the importance of reporting any suspected or confirmed cyberattacks to law enforcement agencies promptly. Timely reporting can assist authorities in tracking and apprehending cybercriminals, while also providing valuable intelligence to help prevent future attacks.

The PaperCut vulnerability was used by the Bl00dy ransomware gang to extort money, underscoring the constantly changing nature of cyber threats and the necessity for ongoing monitoring. Prioritizing cybersecurity measures is essential as businesses continue to rely on digital systems and services to protect sensitive information and ensure smooth operations.

In order to effectively address risks and adopt cybersecurity measures, educational institutions must be proactive. The education sector may reduce the chance of falling victim to ransomware attacks and safeguard the integrity of their systems and data by being watchful, updating software, and working with law enforcement organizations.



New Way to Exploit PaperCut Vulnerability Detected


Cybersecurity professionals have recently discovered a new way to exploit a new critical vulnerability in PaperCut servers in a way that gets past all current detections. 

The flaw, tracked as CVE-2023-27350 (CVSS score 9.8), which affects PaperCut MF or NG versions 8.0 or later, is a critical severity unauthenticated remote code execution bug that has been used in ransomware campaigns.

The flaw, discovered in March 2023 apparently enabled threat actors to execute code through PaperCut’s built-in scripting interface. While the flaw was later patched, an update on the advisory was released in April, warning it has been actively exploited in attacks.

Since then, a variety of threat actors, including ransomware operators, have exploited the vulnerability, and post-exploitation activities have resulted in the execution of PowerShell instructions used to deliver extra payloads.

Researchers soon released PoC exploits for the RCE flaw, and Microsoft later confirmed that the Clop and LockBit ransomware gangs had used it to gain initial access. In response, several security firms have provided detection guidelines for PaperCut attacks and indicators of compromise, including Sysmon, log files, and network signatures.

However, a new attack technique, identified by VulnCheck researchers, can bypass current detections, enabling attackers to exploit CVE-2023-27350 without hindrance. "This report shows that detections that focus on one code execution method, or that focus on a small subset of techniques used by one threat actor, are doomed to be useless in the next round of attacks," explains VulnCheck.

Bypassing Detection 

According to VulnCheck, Sysmon-based detections that rely on process creation analysis have already been defeated by existing PoCs that employ different child process creation methods.

In regards to the log file detection, it notes that they cannot be trusted as an accurate indicator for vulnerability exploits, since they only flag normal admin user logging. Moreover, there is a way to exploit CVE-2023-27350 without leaving entries in the log files.

In place of a built-in scripting interface, the recently released PoC exploits the "User/Group Sync" feature in PaperCut NG, enabling an admin user to define a custom program for user authentication.

VulnCheck's PoC uses "/usr/sbin/python3" for Linux and "C:\Windows\System32\ftp.exe" for Windows and provides the malicious input that will perform code execution in the credentials during a login attempt.

Since this method does not create direct child processes or generate distinctive log entries, Sysmon and Log File detections are bypassed. In the case of network signature detection methods, they can be easily bypassed if the threat actor modifies the HTTP request by adding a slash or any random changes to it.

Although VulnCheck did not offer alternative detection techniques that are effective for all PoCs, they did issue a warning that hackers closely monitor detection techniques used by defenders and also modify their attacks to become undetected.

Thus, the best method to combat this attack is by applying the recommended security patches, which are for PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and later.