The vulnerability CVE-2023-27350 enables remote actors to sidestep authentication and execute remote code on several versions of PaperCut installations, including:
Version 8.0.0 up to 19.2.7
Version 20.0.0 up to 20.1.6
Version 21.0.0 up to 21.2.10
Version 22.0.0 up to 22.0.8
The susceptibility arises from inadequate access controls in the SetupCompleted Java class in PaperCut servers affected by CVE-2023-27350. This flaw enables malicious entities to circumvent user authentication, gain administrative access to the server, and use the existing features of the PaperCut software for remote code execution (RCE). Two known methods of achieving RCE in vulnerable PaperCut software include:
Executing shell commands via the print scripting interface.
Using the User/Group Sync interface to execute a living-off-the-land-style attack.
The FBI and CISA warn that attackers may devise additional methods for RCE.
The PaperCut server process pc-app.exe operates with SYSTEM or root-level privileges. If the software is manipulated to execute processes like cmd.exe or powershell.exe, these subprocesses are created with the same privileges. Any commands associated with these processes also operate with identical privileges, enabling a broad scope of post-exploitation activities following the initial compromise.
The CVE was listed in the CISA's Known Exploited Vulnerabilities (KEV) Catalog on April 21, 2023.
Activities of Threat Actors
Entities in the Education Facilities Subsector hold around 68% of the exposed (but not necessarily vulnerable) U.S.-based PaperCut servers. Early in May 2023, the Bl00dy Ransomware Gang reportedly accessed victim networks across this subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Some of these operations resulted in data exfiltration and encryption of victim systems.
According to the FBI, legitimate remote management and maintenance (RMM) software was downloaded and executed on victim systems via commands issued through PaperCut's print scripting interface. The Bl00dy Gang ransomware actors used external network communications through Tor and/or other proxies to conceal their malicious network traffic. The FBI also found evidence of the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons. However, the attack stage where these tools were used remains uncertain.
Detection Techniques
Network defenders should concentrate on three key areas for detection:
Network traffic signatures: Monitor attempts to access the SetupCompleted page of an exposed and vulnerable PaperCut server.
System monitoring: Watch for child processes initiated from a PaperCut server's pc-app.exe process.
Server settings and log files: Look for signs of malicious activity in the PaperCut server settings and log files.
To exploit CVE-2023-27350, a malicious actor must first access the SetupCompleted page of the target, which grants them authentication to the targeted PaperCut server. Implement the Emerging Threat Suricata signatures to detect when GET requests are sent to the SetupCompleted page.
In this blog post, we will share Indicators of Compromise (IOCs) obtained from FBI investigations and open-source information as of early May 2023.
Bl00dy Gang Ransomware Email Addresses
Email Address |
decrypt.support@privyonline[.]com |
fimaribahundqf@gmx[.]com |
main-office@data-highstream[.]com |
prepalkeinuc0u@gmx[.]com |
tpyrcne@onionmail[.]org |
Bl00dy Gang Ransomware Tox ID
Tox ID |
E3213A199CDA7618AC22486EFECBD9F8E049AC36094D56AC1BFBE67EB9C3CF2352CAE9EBD35F |
Bl00dy Gang Ransomware IP addresses
IP Address | Port | Date | Description |
102.130.112[.]157 | N/A | April 2023 | N/A |
172.106.112[.]46 | N/A | April 2023 | Resolves to Tor node. Network communications with nethelper.exe. |
176.97.76[.]163 | N/A | April 2023 | Resolves to datacenter Tor node. |
192.160.102[.]164 | N/A | April 2023 | Resolves to Tor node. Network communications with nethelper.exe. |
194.87.82[.]7 | N/A | April 2023 | TrueBot C2. DiceLoader malware. |
195.123.246[.]20 | N/A | April 2023 | TrueBot C2. DiceLoader malware. |
198.50.191[.]95 | N/A | April 2023 | Resolves to Tor node. Network communications with nethelper.exe. |
206.197.244[.]75 | 443 | April 2023 | N/A |
216.122.175[.]114 | N/A | April 2023 | Outbound communications from powershell.exe.
|
46.4.20[.]30 | N/A | April 2023 | Resolves to Tor node. Network communications with nethelper.exe. |
5.188.206[.]14 | N/A | April 2023 | N/A |
5.8.18[.]233 | N/A | April 2023 | Cobalt Strike C2 |
5.8.18[.]240 | N/A | April 2023 | Cobalt Strike C2 |
80.94.95[.]103 | N/A | April 2023 | N/A |
89.105.216[.]106 | 443 | April 2023 | Resolves to Tor node. Network communications with nethelper.exe. |
92.118.36[.]199 | 9100, 443 | April 2023 | Outbound communications from svchost.exe. |
Bl00dy Gang Ransomware Domains
Domain | Description |
anydeskupdate[.]com | N/A |
anydeskupdates[.]com | N/A |
ber6vjyb[.]com | Associated with TrueBot C2 |
netviewremote[.]com | N/A |
study.ab | N/A |
Bl00dy Gang Ransomware MITRE ATT&CK Techniques
Tactic | Technique | Description |
Initial Access | T1190 - Exploit Public-Facing Application | The Bl00dy Gang ransomware actors exploited CVE-2023-27350, a vulnerability in PaperCut servers, to gain initial access. |
Execution | T1059 - Command and Scripting Interpreter | The actors executed shell commands via the print scripting interface of the vulnerable PaperCut software. |
Execution | T1203 - Exploitation for Client Execution | Malicious remote code execution (RCE) was achieved by exploiting the PaperCut software vulnerability. |
Persistence | T1136 - Create Account | The actors could have created new accounts using the administrative access granted by the vulnerability. |
Defense Evasion | T1027 - Obfuscated Files or Information | The actors used external network communications through Tor and/or other proxies to conceal their malicious network traffic. |
Command and Control | T1090 - Proxy | Tor was used for command and control communications. |
Command and Control | T1071 - Application Layer Protocol | The ransomware communicated with its C2 servers through the PaperCut server's process. |
Collection | T1005 - Data from Local System | The actors reportedly accessed victim networks and exfiltrated data. |
Impact | T1486 - Data Encrypted for Impact | The ransomware encrypted victim systems, demanding ransom for decryption. |
Conclusion
In conclusion, the evolving cyber threat landscape is increasingly challenging, with sophisticated threat actors like the Bl00dy Gang Ransomware group exploiting vulnerabilities like CVE-2023-27350 to penetrate networks and cause significant damage. However, equipped with the right knowledge, detection techniques, and an understanding of the tactics used by these actors, organizations can strengthen their defenses and limit the potential impact of such threats.
At Inception Security, we understand the complexities of today's cyber threats and are committed to providing the most effective solutions to help you safeguard your business. If your company experiences an incident, our expert team is ready to assist. We offer comprehensive incident response services, from initial detection and containment to recovery and post-incident review, ensuring your business can quickly resume normal operations. Our proactive approach to cybersecurity, which includes advanced threat intelligence and custom defense strategies, is designed to anticipate and mitigate threats before they can cause harm. Partner with Inception Security today, and let us secure your tomorrow.