Ransomware Gangs Start Exploiting PrintNightmare Vulnerabilities

Cyber threat actors have started exploiting the recently disclosed “PrintNightmare” vulnerabilities in ransomware attacks on unpatched Windows servers.

The PrintNightmare vulnerabilities include CVE-2021-1675, which is an elevation-of-privilege vulnerability affecting the Windows Print Spooler Service, and the Windows Print Spooler remote code execution vulnerability CVE-2021-34527.

Microsoft released a security update to correct the flaws in June; however, the patch released to fix the vulnerabilities was not complete, with security researchers showing it was still possible to exploit the vulnerabilities after the patch had been applied. A second emergency update was issued in July to fix the flaws, but while it fixed the RCE flaw it did not correct the local privilege escalation vulnerability. A further patch was issued on August Patch Tuesday to correct that.

Microsoft also recently announced that a further PrintNightmare vulnerability has been identified. The flaw, tracked as CVE-2021-36958, affects the Windows Point and Print feature and is an elevation-of-privilege vulnerability that would allow a local attacker to gain SYSTEM privileges on a computer. Microsoft recently issued a security advisory for the unpatched vulnerability and provided mitigations to prevent exploitation, which involve stopping and disabling the Windows Print Spooler service. A working proof-of-concept exploit for this vulnerability has been circulating since mid-July.

Crowdstrike reports attacks have been conducted on organizations in South Korea by the Magniber ransomware gang which exploited the PrintNightmare vulnerabilities un unpatched devices, although attacks on its customers were blocked before files were encrypted.

At present these are the only known cases of the PrintNightmare flaws being exploited to deliver ransomware, but more threat actors are expected to incorporate exploits for the vulnerabilities into their attacks, if they have not already done so.

It is therefore vital that organizations apply the patches released by Microsoft as soon as possible to prevent exploitation of the flaws. If it is not possible to apply the patches immediately, Microsoft’s recommended mitigations should be implemented. It is also strongly recommended to disable the Windows Print Spooler service on all systems that are not used for printing.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news