June 7, 2023

FBI and CISA have issued a joint advisory warning that the Bl00dy Ransomware group is actively targeting the education sector by exploiting the PaperCut remote-code execution vulnerability CVE-2023-27350.

Active since mid last year, Bl00dy ransomware has been the first group that started using the leaked LockBit ransomware builder in attacks in the wild.

Treat actors started exploiting the CVE-2023-27350 flaw in mid-April 2023, and the attacks are still ongoing. The attacks against the Education Facilities Subsector started in early May.

Advertisements

The report states that the gang is targeting the Education Facilities Subsector entities because they maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers.

As a result of some of these attacks, threat actors exfiltrated data of the victim systems and demanded the payment of a ransom for the decryption of encrypted files.

Educational institutions are often in the sweet spot for ransomware activities. The PaperCut vulnerability functions as a perfect storm for threat actors if an organization exposes it to the internet, allowing for code execution and access to the internal network.

The FBI also identified information relating to the download and execution of C2 malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.

Advertisements

The US agencies recommend network defenders’ focus detection efforts on network traffic signatures, system monitoring, and server settings and log files.

Bl00dy Domains

  • anydeskupdate[.]com
  • anydeskupdates[.]com
  • ber6vjyb[.]com
  • netviewremote[.]com
  • study.abroad[.]ge
  • upd343.winserverupdates[.]com
  • upd488.windowservicecemter[.]com
  • upd488.windowservicecemter[.]com/download/update.dll
  • File: Cobalt Strike Beacon
  • updateservicecenter[.]com
  • windowcsupdates[.]com
  • windowservicecemter[.]com
  • windowservicecentar[.]com
  • windowservicecenter[.]com
  • winserverupdates[.]com
  • winserverupdates[.]com

Bl00dy Emails

  • decrypt.support@privyonline[.]com
  • fimaribahundqf@gmx[.]com
  • main-office@data-highstream[.]com
  • prepalkeinuc0u@gmx[.]com
  • tpyrcne@onionmail[.]org
Tags:

Leave a Reply

You may have missed

Microsoft to comply with LinkedIn GDPR Violation

Microsoft to comply with LinkedIn GDPR Violation

June 7, 2023
Google Fixes Third Chrome Zeroday

Google Fixes Third Chrome Zeroday

June 6, 2023
Moveit Attributed to Lace Tempest

Moveit Attributed to Lace Tempest

June 6, 2023
Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
%d bloggers like this: