News

Windows Print Spooler Flaws Leveraged in Ransomware Attacks

• By Kurt Mackie
• 08/16/2021

Security researchers last week described ransomware perpetrators incorporating Windows "PrintNightmare" exploits in their attacks.

PrintNightmare is the name for "Critical"-rated Windows print spooler flaws that can enable remote code execution attacks with system privileges. Microsoft released security patches for multiple Windows print spooler vulnerabilities in June, July and August. An advisory for another one was issued last week. 

Magniber Ransomware
Ransomware attackers are starting to use the PrintNightmare vulnerabilities. The Magniber ransomware group, mostly targeting South Koreans, is using a PrintNightmare vulnerability in its attacks, according to an Aug. 12 CrowdStrike announcement.

The attack was successfully detected and blocked by CrowdStrike security software because it uses sensors and machine learning to find indicators of attack, CrowdStrike indicated. However, this PrintNightmare plus ransomware effort could be part of a trend.

CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors. We encourage organizations to always apply the latest patches and security updates to mitigate known vulnerabilities and adhere to security best practices to strengthen their security posture against threats and sophisticated adversaries.

While that advice seems good, Microsoft has sometimes advised disabling the Windows print spooler as a workaround before its patches arrive. Doing so, though, eliminates the ability to print.

Will Dormann, a vulnerability analyst with the U.S. Computer Emergency Readiness Team (CERT/CC), indicated in an Aug. 13 Twitter post that a mitigation provided by security specialist firm TrueSec still works across the various Windows print spooler vulnerabilities:

Anybody having trouble keeping track of all of the Windows Print Spooler vulnerabilities? Would you believe that the @truesec mitigation for the original #PrintNightmare still seems to work? *AND* you can still print with the protection in place? Mitigations beat patches often.

Vice Society Ransomware
Vice Society is another ransomware group that used PrintNightmare vulnerabilities as part of its exploits, according to this Aug. 12 Cisco Talos announcement.

Vice Society, a relatively new human-operated ransomware attack group, used "PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent ransomware attack," the Cisco Talos announcement indicated. The group used a dynamic link library file that "takes advantage of the recently discovered PrintNightmare vulnerability for which Microsoft has previously released a security update," the announcement added.

After initial network access is gained, Vice Society tries to access an organization's backup solution, possibly to prevent attempted data recovery operations. The attack group tends to target small and midsize organizations, including educational institutions.

Vice Society's use of PrintNightmare is likely part of a trend, Cisco Talos indicated:

The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks. Multiple distinct threat actors are now taking advantage of PrintNightmare, and this adoption will likely continue to increase as long as it is effective.

The Cisco Secure Endpoint solution was capable of blocking this attack attempt, the announcement contended.