[German]It happened, there is the first case of a ransomware gang using the Windows PrintNightmare vulnerability to attack Windows servers. In July 2021, security vendor Crowdstrike was able to thwart a ransomware attack against a target in South Korea. During the evaluation, the security researchers found that the Magniber ransomware gang attempted to exploit the vulnerability (CVE-2021-34527)
CrowdStrike is a security vendor that provides cloud-based device protection. When the PrintNightmare vulnerability (CVE-2021-34527) became public, security vendor CrowdStrike suspected that this vulnerability would likely be exploited by threat actors. This is because the vulnerability provides remote code execution (RCE) and local privilege escalation (LPE) capabilities. This assessment has now been proven correct. In the following tweet, the vendor points to a thwarted ransomware attack exploiting the vulnerability.
CrowdStrike security researchers recently observed new activity related to a 2017 ransomware family known as Magniber. The CrowdStrike security solution detected and prevented a malware attack on victims in South Korea on July 13, 2021. The malware attempted to exploit the PrintNightmare vulnerability on Windows Server systems. However, the security software stepped in before any encryption occurred, the company writes in this blog post.
According to the company, the CrowdStrike Falcon® platform provides multi-layered threat protection by using machine learning (on the sensor and in the cloud) and indicators of attack (IOAs) to identify malicious processes or files associated with known or unknown threats, targeting the tactics and techniques used by attackers to compromise endpoints. This strategy likely prevented the successful attack.
I had written quite a bit about the PrintNightmare vulnerability here on the blog (see links at the end of the article). The timeline of the PrintNightmare vulnerability published by CrowStrike in his blog post is interesting.
- June 8, 2021: The PrintNightmare vulnerability (CVE-2021-1675) is discovered by security researchers and reported to Microsoft. In their investigation, they attempted to bypass an earlier patch that addressed the PrintDemon vulnerability (CVE-2020-1048).
- June 21, 2021: Although Microsoft released a patch for CVE-2021-1675 as part of Microsoft Patch Tuesday in June 2021, no further information about exploitation of the vulnerability was disclosed. At that time, it was assumed that the vulnerability could only be exploited by a locally authenticated user. However, the vulnerability was upgraded to critical by Microsoft on June 21 because it could allow RCE.
- June 29, 2021: Separately, one of three other security researchers investigating a similar flaw in the Windows Print Spooler service accidentally published a proof of concept (POC) exploiting the vulnerability (CVE-2021-1675) to a GitHub repository on June 29. Although the flaw was corrected shortly thereafter, the GitHub repository was reportedly forked and the POC entered the wild, leading to possible exploitation by attackers.
- July 1, 2021: Although Microsoft fixed the CVE-2021-1675 vulnerability by releasing a patch, the POC that became public exploits a different attack vector that triggers the print spooler vulnerability. As of July 1, several different proofs of concepts have been released that exploit the print spooler vulnerability. As a result, a second CVE (CVE-2021-34527) was created on July 1, with Microsoft stating that "CVE-2021-1675 is similar but different from CVE-2021-34527."
- July 6, 2021: Beginning July 6, Microsoft released several out-of-band (OOB) updates intended to mitigate the CVE-2021-34527 vulnerability. Hours later, however, security researchers found that it was again possible to bypass the imposed mitigations under certain conditions. Popular exploit tools such as Metasploit and Mimikatz began to inject the exploit code, paving the way for arming attackers with a vulnerability that had not yet been fixed.
Then, as early as July 13, 2021, Crowdstrike was able to detect and thwart the Magniber ransomware gang's cyber attack. Knowing now that the Print Spooler service has more vulnerabilities (see Windows PrintNightmare, next round with CVE-2021-36958), it is a matter of time when the next attacks will happen.
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Windows vulnerability PrintNightmare: It's not over yet (July 15, 2021)
Microsoft Defender for Identity can detect PrintNightmare attacks
PrintNightmare: Point-and-Print allows installation of arbitrary files
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
Windows PrintNightmare, next round with CVE-2021-36958
Cookies helps to fund this blog: Cookie settings