US cybersecurity and exploration services have issued a warning about a string of extortion attacks, carried out by hacker group BL00DY Cybercrown, on vulnerable servers belonging to the educational institution sector. The attacks took place in early May 2023 and targeted servers belonging to Papercut, according to a report jointly released by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA). The hackers gained access to vulnerable servers via casual networks and were thus able to abduct data and encrypt victim systems. The attacks subsequently generated demands for redemption in exchange for the restoration of encrypted files.
Papercut’s vulnerability is linked to a critical security flaw, CVE-2023-27350, which affects certain versions of the company’s MF and NG software products. Exploitation of what is viewed as critical vulnerability has been monitored since mid-April 2023, with various groups employing it to launch both legal software for remote control and maintenance (RMM) as well as a range of additional malware, including Cobalt Strike, Beacons, Diceloader and Truebot.
According to reports by Microsoft, the active use of Papercut vulnerabilities has been associated with the Clop and Lockbit groups. More recently, Iranian hackers have become involved in the attacks and have been monitored by Microsoft experts under the identifiers of Mango Sandstorm and Mint Sandstorm.