top of page
Writer's pictureInception Security

CVE-2023-27350 PaperCut and Bl00dy Ransomware Gang

The vulnerability CVE-2023-27350 enables remote actors to sidestep authentication and execute remote code on several versions of PaperCut installations, including:

  • Version 8.0.0 up to 19.2.7

  • Version 20.0.0 up to 20.1.6

  • Version 21.0.0 up to 21.2.10

  • Version 22.0.0 up to 22.0.8

The susceptibility arises from inadequate access controls in the SetupCompleted Java class in PaperCut servers affected by CVE-2023-27350. This flaw enables malicious entities to circumvent user authentication, gain administrative access to the server, and use the existing features of the PaperCut software for remote code execution (RCE). Two known methods of achieving RCE in vulnerable PaperCut software include:

  • Executing shell commands via the print scripting interface.

  • Using the User/Group Sync interface to execute a living-off-the-land-style attack.

The FBI and CISA warn that attackers may devise additional methods for RCE.


The PaperCut server process pc-app.exe operates with SYSTEM or root-level privileges. If the software is manipulated to execute processes like cmd.exe or powershell.exe, these subprocesses are created with the same privileges. Any commands associated with these processes also operate with identical privileges, enabling a broad scope of post-exploitation activities following the initial compromise.


The CVE was listed in the CISA's Known Exploited Vulnerabilities (KEV) Catalog on April 21, 2023.


Activities of Threat Actors


Entities in the Education Facilities Subsector hold around 68% of the exposed (but not necessarily vulnerable) U.S.-based PaperCut servers. Early in May 2023, the Bl00dy Ransomware Gang reportedly accessed victim networks across this subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Some of these operations resulted in data exfiltration and encryption of victim systems.


According to the FBI, legitimate remote management and maintenance (RMM) software was downloaded and executed on victim systems via commands issued through PaperCut's print scripting interface. The Bl00dy Gang ransomware actors used external network communications through Tor and/or other proxies to conceal their malicious network traffic. The FBI also found evidence of the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons. However, the attack stage where these tools were used remains uncertain.


Detection Techniques


Network defenders should concentrate on three key areas for detection:

  1. Network traffic signatures: Monitor attempts to access the SetupCompleted page of an exposed and vulnerable PaperCut server.

  2. System monitoring: Watch for child processes initiated from a PaperCut server's pc-app.exe process.

  3. Server settings and log files: Look for signs of malicious activity in the PaperCut server settings and log files.

To exploit CVE-2023-27350, a malicious actor must first access the SetupCompleted page of the target, which grants them authentication to the targeted PaperCut server. Implement the Emerging Threat Suricata signatures to detect when GET requests are sent to the SetupCompleted page.


In this blog post, we will share Indicators of Compromise (IOCs) obtained from FBI investigations and open-source information as of early May 2023.


Bl00dy Gang Ransomware Email Addresses

Email Address

decrypt.support@privyonline[.]com

​fimaribahundqf@gmx[.]com

main-office@data-highstream[.]com

​prepalkeinuc0u@gmx[.]com

tpyrcne@onionmail[.]org


Bl00dy Gang Ransomware Tox ID

Tox ID

E3213A199CDA7618AC22486EFECBD9F8E049AC36094D56AC1BFBE67EB9C3CF2352CAE9EBD35F


Bl00dy Gang Ransomware IP addresses

IP Address

Port

Date

Description

102.130.112[.]157

N/A

April 2023

N/A

172.106.112[.]46

N/A

April 2023

Resolves to Tor node. Network communications with nethelper.exe.

176.97.76[.]163

N/A

April 2023

Resolves to datacenter Tor node.

192.160.102[.]164

N/A

April 2023

Resolves to Tor node. Network communications with nethelper.exe.

194.87.82[.]7

N/A

April 2023

TrueBot C2. DiceLoader malware.

195.123.246[.]20

N/A

April 2023

TrueBot C2. DiceLoader malware.

198.50.191[.]95

N/A

April 2023

Resolves to Tor node. Network communications with nethelper.exe.

206.197.244[.]75

443

April 2023

N/A

216.122.175[.]114

N/A

April 2023

Outbound communications from powershell.exe.

46.4.20[.]30

N/A

April 2023

Resolves to Tor node. Network communications with nethelper.exe.

5.188.206[.]14

N/A

April 2023

N/A

5.8.18[.]233

N/A

April 2023

Cobalt Strike C2

5.8.18[.]240

N/A

April 2023

Cobalt Strike C2

80.94.95[.]103

N/A

April 2023

N/A

89.105.216[.]106

443

April 2023

Resolves to Tor node. Network communications with nethelper.exe.

92.118.36[.]199

9100, 443

April 2023

Outbound communications from svchost.exe.


Bl00dy Gang Ransomware Domains

Domain

Description

anydeskupdate[.]com

N/A

anydeskupdates[.]com

N/A

ber6vjyb[.]com

Associated with TrueBot C2

netviewremote[.]com

N/A

study.ab

N/A


Bl00dy Gang Ransomware MITRE ATT&CK Techniques

Tactic

Technique

Description

Initial Access

T1190 - Exploit Public-Facing Application

The Bl00dy Gang ransomware actors exploited CVE-2023-27350, a vulnerability in PaperCut servers, to gain initial access.

Execution

T1059 - Command and Scripting Interpreter

The actors executed shell commands via the print scripting interface of the vulnerable PaperCut software.

Execution

T1203 - Exploitation for Client Execution

Malicious remote code execution (RCE) was achieved by exploiting the PaperCut software vulnerability.

Persistence

T1136 - Create Account

The actors could have created new accounts using the administrative access granted by the vulnerability.

Defense Evasion

T1027 - Obfuscated Files or Information

The actors used external network communications through Tor and/or other proxies to conceal their malicious network traffic.

Command and Control

T1090 - Proxy

Tor was used for command and control communications.

Command and Control

T1071 - Application Layer Protocol

The ransomware communicated with its C2 servers through the PaperCut server's process.

Collection

T1005 - Data from Local System

The actors reportedly accessed victim networks and exfiltrated data.

Impact

T1486 - Data Encrypted for Impact

The ransomware encrypted victim systems, demanding ransom for decryption.

Conclusion

In conclusion, the evolving cyber threat landscape is increasingly challenging, with sophisticated threat actors like the Bl00dy Gang Ransomware group exploiting vulnerabilities like CVE-2023-27350 to penetrate networks and cause significant damage. However, equipped with the right knowledge, detection techniques, and an understanding of the tactics used by these actors, organizations can strengthen their defenses and limit the potential impact of such threats.


At Inception Security, we understand the complexities of today's cyber threats and are committed to providing the most effective solutions to help you safeguard your business. If your company experiences an incident, our expert team is ready to assist. We offer comprehensive incident response services, from initial detection and containment to recovery and post-incident review, ensuring your business can quickly resume normal operations. Our proactive approach to cybersecurity, which includes advanced threat intelligence and custom defense strategies, is designed to anticipate and mitigate threats before they can cause harm. Partner with Inception Security today, and let us secure your tomorrow.


Comments


bottom of page