December 9, 2023

FBI and CISA have issued a joint advisory warning that the Bl00dy Ransomware group is actively targeting the education sector by exploiting the PaperCut remote-code execution vulnerability CVE-2023-27350.

Active since mid last year, Bl00dy ransomware has been the first group that started using the leaked LockBit ransomware builder in attacks in the wild.

Treat actors started exploiting the CVE-2023-27350 flaw in mid-April 2023, and the attacks are still ongoing. The attacks against the Education Facilities Subsector started in early May.

Advertisements

The report states that the gang is targeting the Education Facilities Subsector entities because they maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers.

As a result of some of these attacks, threat actors exfiltrated data of the victim systems and demanded the payment of a ransom for the decryption of encrypted files.

Educational institutions are often in the sweet spot for ransomware activities. The PaperCut vulnerability functions as a perfect storm for threat actors if an organization exposes it to the internet, allowing for code execution and access to the internal network.

The FBI also identified information relating to the download and execution of C2 malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.

Advertisements

The US agencies recommend network defenders’ focus detection efforts on network traffic signatures, system monitoring, and server settings and log files.

Bl00dy Domains

  • anydeskupdate[.]com
  • anydeskupdates[.]com
  • ber6vjyb[.]com
  • netviewremote[.]com
  • study.abroad[.]ge
  • upd343.winserverupdates[.]com
  • upd488.windowservicecemter[.]com
  • upd488.windowservicecemter[.]com/download/update.dll
  • File: Cobalt Strike Beacon
  • updateservicecenter[.]com
  • windowcsupdates[.]com
  • windowservicecemter[.]com
  • windowservicecentar[.]com
  • windowservicecenter[.]com
  • winserverupdates[.]com
  • winserverupdates[.]com

Bl00dy Emails

  • decrypt.support@privyonline[.]com
  • fimaribahundqf@gmx[.]com
  • main-office@data-highstream[.]com
  • prepalkeinuc0u@gmx[.]com
  • tpyrcne@onionmail[.]org

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d