Windows print spooler flaws exploited in ransomware attacks –



Windows Print Spooler Defects Exploited In Ransomware Attacks

Last week, security researchers described ransomware authors incorporating Windows “PrintNightmare” exploits into their attacks.

Last week, security researchers described ransomware authors incorporating Windows “PrintNightmare” exploits into their attacks.

PrintNightmare is the name of a Windows print spooler vulnerability rated “Critical” that may allow remote code execution attacks with system privileges. Microsoft released security fixes for several vulnerabilities in Windows Print Spooler in June, July, and August. A notice for another was posted last week.

Magniber Ransomware
Ransomware attackers start using PrintNightmare vulnerabilities. Magniber ransomware group, primarily targeting South Koreans, uses PrintNightmare vulnerability in attacks, says August 12 CrowdStrike announcement.

The attack was detected and successfully blocked by CrowdStrike security software because it uses sensors and machine learning to find indicators of an attack, CrowdStrike said. However, this PrintNightmare plus ransomware effort could be part of a trend.

CrowdStrike believes that the PrintNightmare vulnerability associated with the ransomware deployment will likely continue to be exploited by other threat actors. We encourage organizations to always apply the latest security patches and updates to mitigate known vulnerabilities and to adhere to security best practices to strengthen their security posture against sophisticated threats and adversaries.

While this advice sounds good, Microsoft has sometimes advised that you disable Windows Print Spooler as a workaround before its fixes arrive. However, this eliminates the possibility of printing.

Will Dormann, Vulnerability Analyst with the US Computer Emergency Preparedness Team (CERT / CC), said in a Twitter post from August 13 one mitigation provided by security company TrueSec still works with the various vulnerabilities of Windows Print Spooler:

Is anyone having trouble tracking all vulnerabilities in Windows Print Spooler? Would you believe that the @truesec attenuation for the original #PrintNightmare still seems to work? * AND * you can still print with the protection in place? The attenuations often beat the patches.

Vice Society Ransomware
Vice Society is another ransomware group that used PrintNightmare vulnerabilities as part of its exploits, according to this Cisco Talos announcement from August 12.

Vice Society, a relatively new ransomware attack group, used “Print Nightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in the Windows print spooler service to spread laterally across a victim’s network as part of a recent ransomware attack, ”the Cisco Talos announcement. The group used a dynamic link library file. which “takes advantage of the recently discovered PrintNightmare vulnerability for which Microsoft has already released a security update,” adds the announcement.

After initial network access is obtained, Vice Society attempts to access an organization’s backup solution, possibly to prevent attempted data recovery operations. The attack group tends to target small and medium organizations, including educational institutions.

Vice Society’s use of PrintNightmare is likely part of a trend, Cisco Talos said:

The use of the vulnerability known as PrintNightmare shows that adversaries are very attentive and will quickly integrate new tools that they find useful for various purposes during their attacks. Several distinct threat actors are now leveraging PrintNightmare, and this adoption will likely continue to increase as long as it is effective.

The Cisco Secure Endpoint solution was able to block this attempted attack, according to the announcement.

About the Author

Kurt Mackie is Senior News Producer for 1105 Media’s Converge360 Group.

Source link


Leave A Reply