The cybersecurity landscape witnessed another alarming development this week as the Bl00dy Ransomware Gang actively exploited a critical vulnerability in PaperCut print management servers, specifically targeting educational institutions across the United States. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory detailing the attacks, which occurred in early May 2023.
The Exploit Mechanics
At the heart of these attacks lies CVE-2023-27350, a now-patched critical security flaw affecting PaperCut MF and PaperCut NG servers. This vulnerability enables a remote attacker to bypass authentication entirely and execute arbitrary code on vulnerable installations. The affected versions span a wide range: 8.0.0 to 19.2.7, 20.0.0 to 20.1.6, 21.0.0 to 21.2.10, and 22.0.0 to 22.0.8. What makes this particularly dangerous is that exploitation requires no authentication whatsoever — an attacker simply needs network access to the vulnerable PaperCut server.
The Bl00dy actors leveraged this access to deploy legitimate Remote Management and Monitoring (RMM) software on compromised systems, which then served as a foothold for dropping additional malicious payloads including Cobalt Strike Beacons, DiceLoader, and TrueBot. The gang used TOR and other proxy tools from within victim networks to mask their malicious traffic and evade detection by standard network monitoring tools.
Affected Systems
The primary targets have been educational institutions running exposed PaperCut servers. However, cybersecurity firm eSentire uncovered an additional campaign exploiting the same vulnerability to deploy XMRig cryptocurrency miners on compromised systems. This dual-use exploitation pattern — ransomware deployment alongside crypto mining — indicates that multiple threat groups are leveraging the same vulnerability for different financial objectives.
Iranian state-sponsored threat groups, identified by Microsoft as Mango Sandstorm (also known as MuddyWater or Mercury) and Mint Sandstorm (also known as Phosphorus), have also been observed exploiting PaperCut servers since mid-April 2023. The convergence of financially motivated criminal groups and nation-state actors on the same vulnerability underscores the severity of the situation.
The Mitigation Strategy
Organizations running PaperCut MF or NG must immediately update to the latest patched versions. If patching is not immediately possible, administrators should restrict internet-facing access to PaperCut servers through firewall rules and VPN requirements. Network monitoring teams should look for indicators of compromise including unexpected RMM tool installations, TOR network connections from internal systems, and unusual Cobalt Strike beacon traffic.
For the broader crypto community, this incident serves as a reminder that infrastructure vulnerabilities extend beyond blockchain protocols. Organizations holding cryptocurrency assets or operating crypto-adjacent services must maintain rigorous patch management for all internet-facing systems, not just those directly handling digital assets.
Lessons Learned
The PaperCut incident illustrates several key security principles. First, print management servers are often overlooked in security assessments despite being internet-facing and handling sensitive data. Second, the speed at which multiple threat groups weaponize published vulnerabilities — in this case, exploitation began within weeks of disclosure — demands faster patching cycles. Third, the deployment of cryptocurrency miners alongside ransomware shows how threat actors maximize returns from each compromised target.
User Action Required
If your organization runs PaperCut MF or NG, check your version immediately against the affected ranges listed above. Apply the latest security patches without delay. Review network logs for any evidence of RMM tool deployment or TOR traffic originating from internal systems. Ensure that all internet-facing services are covered by your vulnerability management program, regardless of how mundane they may seem.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
CVE-2023-27350 with no auth required and schools as targets. ransomware crews love soft targets with slow IT budgets. this was entirely predictable
^ the version range is wild. 8.0.0 to 22.0.8, thats basically every PaperCut install ever. most universities run outdated print servers and never patch
universities are the worst for patch management. decentralized IT departments, no central policy, budget cycles measured in years. ransomware groups know this
central IT policy means nothing when the physics dept bought their own PaperCut license on a credit card. shadow IT is the real vulnerability here
print management software being the attack vector for ransomware is so 2023. whoever decided those servers needed internet facing interfaces should reconsider
print servers with internet facing interfaces was a choice. we isolated ours behind VPN in 2019 and never looked back
print servers exposed to the open internet in 2023 is negligence. why does a campus printer need a public IP
RMM tools as persistence mechanism is standard tradecraft now. Bl00dy using legitimate software makes detection way harder since it blends into normal admin traffic
CVE-2023-27350 required zero auth and had a CVSS of 9.8. CISA gave orgs 3 weeks to patch before exploits went wild. most schools never bothered