<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.contentpasted0
{mso-style-name:contentpasted0;}
span.contentpasted1
{mso-style-name:contentpasted1;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:269968678;
mso-list-template-ids:1142171564;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:340015783;
mso-list-template-ids:-1712411418;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1298293263;
mso-list-template-ids:1058826804;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Good morning,<o:p></o:p></p>
<p class="MsoNormal">We know that we have a number of client organizations using PaperCut. See below for important information on an exploited vulnerability in that application.<o:p></o:p></p>
<p class="MsoNormal">Thank you,<o:p></o:p></p>
<p class="MsoNormal">Thor<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Thor Sage<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Executive Director<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Miami Valley Educational Computer Association<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">937-767-1468 x3101<o:p></o:p></span></p>
<p class="MsoNormal"><a href="http://www.mveca.org/"><span style="color:#1F497D;text-decoration:none"><img border="0" width="174" height="64" style="width:1.8125in;height:.6666in" id="Picture_x0020_1" src="cid:image001.jpg@01D984B7.BEA97B00" alt="http://www.mveca.org/images/logo.gif"></span></a><span style="color:#1F497D">
</span><a href="https://www.linkedin.com/company/mveca/"><span style="color:#1F497D;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1027" src="cid:image002.jpg@01D984B7.BEA97B00" alt="i"></span></a><a href="https://twitter.com/mvecarcog"><span style="color:#1F497D;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_2" src="cid:image003.jpg@01D984B7.BEA97B00" alt="t"></span></a><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span style="color:#1F497D">Not-for-profit Technology Services for Education and Local Governments<o:p></o:p></span></i></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Wood, Spencer <<a href="mailto:Spencer.Wood@cisa.dhs.gov">Spencer.Wood@cisa.dhs.gov</a>><br>
<b>Date: </b>Friday, May 12, 2023 at 8:31 AM<br>
<b>To: </b>Geoffrey Andrews <<a href="mailto:geoffrey.andrews@managementcouncil.org">geoffrey.andrews@managementcouncil.org</a>>,
<a href="mailto:Holly.Drake@das.ohio.gov">Holly.Drake@das.ohio.gov</a> <<a href="mailto:holly.drake@das.ohio.gov">holly.drake@das.ohio.gov</a>>,
<a href="mailto:jmccarty@oh-tech.org">jmccarty@oh-tech.org</a> <<a href="mailto:jmccarty@oh-tech.org">jmccarty@oh-tech.org</a>><br>
<b>Cc: </b><a href="mailto:kirk.herath@governor.ohio.gov">kirk.herath@governor.ohio.gov</a> <<a href="mailto:kirk.herath@governor.ohio.gov">kirk.herath@governor.ohio.gov</a>>, Burner, Jillian <<a href="mailto:jburner@ohiosos.gov">jburner@ohiosos.gov</a>>, Williams,
Terin (She/Her/Hers) <<a href="mailto:terin.williams@cisa.dhs.gov">terin.williams@cisa.dhs.gov</a>><br>
<b>Subject: </b>CISA/FBI Cybersecurity Advisory on Actors Exploiting a Vulnerability in PaperCut<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Good morning,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a
<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a" title="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a">
joint Cybersecurity Advisory (CSA)</a> about active exploitation by malicious cyber actors of known vulnerability in print management software known as PaperCut.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1">
<span style="font-size:12.0pt">The vulnerability, CVE-2023-27350, occurs in certain versions of PaperCut. When exploited, an unauthenticated actor can execute malicious code remotely without credentials.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1">
<span style="font-size:12.0pt">In early May 2023, FBI observed a group self-identifying as the Bl00dy Ransomware Gang attempting to exploit vulnerable PaperCut servers against the Education Facilities Subsector, including K-12 schools and school districts,
that were exposed over the web. Some of these operations by this gang led to data exfiltration, encryption and ransom notes left on victim systems.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1">
<span style="font-size:12.0pt">PaperCut released a patch for CVE-2023-27350 in March 2023. Users and administrators are strongly urged to immediately apply patches, and workarounds if unable to patch.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1">
<span style="font-size:12.0pt">All organizations, especially K-12 schools and school districts, are strongly encouraged to implement the recommended mitigations and use the detection methods in this advisory to reduce the likelihood and impact of a ransomware
incident related to the PaperCut vulnerability and exploits by Bl00dy Ransomware Group.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">The advisory can be found at: <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a">https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><i><span style="font-size:12.0pt;color:black">Technical Details
</span></i></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">CVE-2023-27350 allows a remote actor to bypass authentication and conduct remote code execution on certain affected versions of PaperCut, a print management software.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2">
<span style="font-size:12.0pt">PaperCut servers vulnerable to CVE-2023-27350 implement improper access controls thereby allowing malicious actors to bypass user authentication and access the server as an administrator.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2">
<span style="font-size:12.0pt">When exploited, an unauthenticated actor is able to execute malicious code remotely without credentials.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2">
<span style="font-size:12.0pt">When PaperCut is exploited to execute other processes such as cmd.exe or powershell.exe, a wide range of postexploitation activity is possible following initial access and compromise.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Education Facilities Subsector, such as educational institutions, K-12 schools and school districts, maintained approximately 68% of exposed, but not necessarily vulnerable, United States-based
PaperCut servers.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3">
<span style="font-size:12.0pt">In early May 2023, the Federal Bureau of Investigation (FBI) observed the Bl00dy Ransomware Gang gain access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were
exposed over the web.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3">
<span style="font-size:12.0pt">The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3">
<span style="font-size:12.0pt">FBI has observed certain command and control (C2) malware, as well as legitimate remote management and maintenance (RMM) software such as Atera, ConnectWise (formerly ScreenConnect), and Syncro downloaded onto victim systems by
the ransomware gang.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">If you have any questions and would like to discuss this or any other items, please feel free to contact Terin or myself.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span class="contentpasted0"><span style="font-size:12.0pt;color:black;background:white">Thank you,</span></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span class="contentpasted0"><span style="font-size:12.0pt;color:black;background:white">Spencer</span></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span class="contentpasted0"><span style="font-size:12.0pt;color:black;background:white">---</span></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span class="contentpasted1"><b><span style="font-size:12.0pt;color:#174E86;background:white">Spencer Wood</span></b></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span class="contentpasted0"><span style="font-size:12.0pt;color:black;background:white">Cybersecurity Advisor, Region 5 (OH)</span></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span class="contentpasted0"><span style="font-size:12.0pt;color:black;background:white">Cybersecurity and Infrastructure Security Agency</span></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span class="contentpasted0"><span style="font-size:12.0pt;color:black;background:white">O: 202-793-4498 | M: 513-693-2792 |
<a href="mailto:spencer.wood@cisa.dhs.gov">spencer.wood@cisa.dhs.gov</a></span></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:12.0pt;color:black;background:white"><img border="0" width="77" height="77" style="width:.802in;height:.802in" id="imageSelected0" src="cid:image006.jpg@01D984B8.2DE03EA0"></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>