Ransomware operators including Magniber and Vice Society have been observed using the PrintNightmare exploits in their recent attacks. The PrintNightmare flaws comprise around 7 vulnerabilities in Windows Print Spooler service, print drivers, and Point and Print features.
What happened?
- According to a recent report by CrowdStrike, the attacks by Magniber have been ongoing since at least July 13 and aimed at Windows-based systems. A malicious DLL was used for the deobfuscation of the main ransomware DLL. Further examining the behavior of the ransomware sample disclosed the same behavior from previous Magniber attacks.
- Moreover, the Cisco Talos Intelligence team found that the threat actor Vice Society is also leveraging this vulnerability to conduct post-compromise discovery and reconnaissance. The vulnerability was used by the threat actor to bypass the native Windows protection, allowing privilege escalation and credential thrift on the targeted devices.
The history of PrintNightmare
Initially, researchers published a proof of concept to exploit CVE-2021-1675, which was patched in June. However, the proof-of-concept was pulled down after a few hours as researchers found out that it was affecting another different issue more serious than they initially discovered.
- Several other vulnerabilities have been spotted in the Windows Print Spooler service and now, all these bugs are named as PrintNightmare. The attackers have specifically weaponized CVE-2021-34527 to target their victims.
- The CVE-2021-34527 flaw is one of the several PrintNightmare bugs that led to the discovery of other vulnerabilities. Additionally, these flaws are now causing around 10 different issues.
Microsoft discovered another RCE vulnerability (CVE-2021-36958) and the only solution is to disable Print Spooler. They implemented the same changes in the default working of the Point and Print.
Conclusion
Multiple threat actors have started targeting the PrintNightmare vulnerabilities. This indicates that the flaws are actively being tracked not only by security researchers but threat actors as well. Therefore, it is crucial that organizations keep themselves updated about the latest attacks and update the systems to stop any exploitation of known vulnerabilities.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/eca5_shutterstock_614465528.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_311463287.jpg)
