Joint Cybersecurity Advisory – Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG

WaterISAC regularly provides awareness of recent CISA reporting. While direct relevance to your utility/organization on the details of each report may vary, activity alerts like this are practical for general awareness of active threats and adversary capabilities.

CISA and the FBI recently published a joint Cybersecurity Advisory (CSA) providing network defenders recommended actions and mitigations to protect against cyber actors exploiting a vulnerability (CVE-2023-27350) in certain versions of PaperCut, a print management software. When exploited, an unauthenticated actor is able to execute malicious code remotely without credentials.

The advisory provides technical details on Bl00dy Ransomware Gang observed by the FBI in early May 2023 attempting to exploit vulnerable PaperCut servers against education facilities subsector. Some of these operations by Bl00dy Ransomware Gang led to data exfiltration, encryption and ransom notes left on victim devices. PaperCut released a patch for CVE-2023-27350 in March 2023. Users and administrators are strongly urged to immediately apply patches, and workarounds if unable to patch.

The CSA also includes indicators of compromise to help network defenders detect if this exploitation activity is on their networks. CISA and the FBI encourage network defenders to review the CSA and apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response. 

To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at Cy*****@*bi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CI*************@******hs.gov. Access the full advisory at CISA.