[German]In my blog post Ransomware gang uses PrintNightmare to attack Windows servers, I had reported about the first case where the PrintNightmare vulnerability was used to attack Windows. Now Talos Security has already come across the second case, reporting that the Vice Society ransomware gang is also attacking systems using the Windows PrintNightmare vulnerability.
Vice Society s a ransomware that is believed to be an offshoot of HelloKitty. The ransomware can encrypt both Linux and Windows systems. Ransomware expert Michael Gillespie found the first examples of ransomware attacks from this group in mid-June 2021, as Bleeping Computer reported here.
Now, the Vice Society ransomware gang also seems to have discovered the Windows PrintNightmare vulnerability as a lever to attack Windows systems.
In this article Talos security researchers describe that another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' Print Spooler service. The Vice Society ransomware uses the vulnerability to gain elevated privileges and then spread laterally across a victim's network as part of a recent ransomware attack. While previous research found that other threat actors had already exploited this vulnerability, this appears to be new to the Vice Society threat actor. This is indicated by the results of a Cisco Talos Incident Response investigation.
However, Talos Incident Response's research also shows that several different threat actors find the PrintNightmare vulnerability attractive for their attacks. There is much evidence to suggest that this vulnerability will continue to be exploited by a variety of attackers in the future. It is important for defenders to understand the lifecycle of an attack that leads to the use of ransomware. Details of the attack can be read in this article.
The PrintNightmare vulnerability
In early July 2021, I first reported the CVE-2021-1675 vulnerability in the blog post PoC for Windows print spooler vulnerability public, high RCE risk. It is a remote code execution (RCE) vulnerability that could allow an attacker to execute arbitrary code with SYSTEM privileges. This includes installing programs, viewing, modifying or deleting data, or creating new accounts with full user privileges.
icrosoft has been trying to fix the PrintNightmare vulnerability with updates since the beginning of July 2021 (see the list of links at the end of the article). But after each patch, security researchers prove that the PrintNightmare vulnerability was incompletely patched. In particular, the feature called Point-and-Print, which allows users to install printer drivers, can be abused for attacks. A few days ago, Microsoft issued a new security warning (see Windows PrintNightmare, next round with CVE-2021-36958). Microsoft currently recommends disabling the printer spooler service again.
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Windows vulnerability PrintNightmare: It's not over yet (July 15, 2021)
Microsoft Defender for Identity can detect PrintNightmare attacks
PrintNightmare: Point-and-Print allows installation of arbitrary files
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
Windows PrintNightmare, next round with CVE-2021-36958
Ransomware gang uses PrintNightmare to attack Windows servers
Cookies helps to fund this blog: Cookie settings