Ransomware Gangs Try to Exploit 'PrintNightmare' FlawsMeanwhile, Microsoft Has Published an Advisory on Another Zero-Day Bug
Security researchers at Cisco Talos and CrowdStrike are tracking several ransomware gangs that are attempting to exploit a bugs in Microsoft Windows dubbed "PrintNightmare," which the company has been warning about since June.
While Microsoft has issued emergency patches for some of the flaws, attackers are still targeting unpatched systems.
Meanwhile, Microsoft published an out-of-band security advisory Wednesday about another zero-day flaw that is part of the class of bugs that make up PrintNightmare, a series of remote code execution vulnerabilities affecting Windows Print Spooler - which enables devices to communicate with printers - as well as other printing features found in various versions of the Windows operating system.
Microsoft has issued an emergency workaround for this flaw but has not yet issued a patch.
Despite warnings from Microsoft and other security researchers over the last several months, the unpatched PrintNightmare vulnerabilities continue to cause issues for Windows users. In July, the U.S. Cybersecurity and Infrastructure Security Agency issued a directive for federal agencies to immediately patch the flaws (see: CISA Emergency Directive: Patch 'PrintNightmare' Flaw).
In previous alerts, Microsoft noted that these remote code execution vulnerabilities in the Windows Print Spooler and other services can enable attackers to perform unauthorized privileged file operations. The company says the attackers can also exploit the flaw to run arbitrary code with system privileges, which can then allow them to install programs; view, change or delete data; or create new accounts with full user rights as well as distribute malware such as ransomware.
On Thursday, Cisco Talos researchers published a report describing how the Vice Society ransomware gang has been attempting to exploit two of the PrintNightmare vulnerabilities at organizations that have not yet implemented patches.
The Vice Society gang appears to have started this particular operation in mid-2021 - about the same time the PrintNightmare vulnerabilities were first discovered and proof-of-concept attacks were leaked. The group is targeting small and midsized organizations with a double extortion tactic, which includes encrypting victims' files and also exfiltrating data and threatening to publish that information on a darknet data leak site unless the victim pays a ransom, according to the Cisco Talos analysis.
"This group has … targeted public school districts and other educational institutions. As they are a new actor in this space, Vice Society's tools, techniques and procedures are difficult to quantify," the Cisco Talos researchers note. "However, based on incident response observations, they are quick to leverage new vulnerabilities for lateral movement and persistence on a victim's network. They also attempt to be innovative on end-point detection response bypasses."
The Vice Society gang appears to use malicious Dynamic Link Library code to exploit two of the bugs: CVE-2021-1675 and CVE-2021-34527, according to Cisco Talos.
The Cisco Talos team also published other tools and techniques that the gang uses as part of its ransomware extortion attempts, including the targeting of backups to prevent recovery following ransomware deployment and attempts to bypass native Windows protections for credential theft and privilege escalation.
Meanwhile, CrowdStrike is tracking a ransomware gang called Magniber that is also exploiting unpatched PrintNightmare vulnerabilities.
"CrowdStrike recently observed new activity related to a 2017 ransomware family, known as Magniber, using the PrintNighmare vulnerability on victims in South Korea," the researchers note. "On July 13, CrowdStrike successfully detected and prevented attempts at exploiting the PrintNightmare vulnerability, protecting customers before any encryption takes place."
After compromising a network by exploiting the PrintNightmare vulnerabilities, the Magniber gang uses an obfuscated DLL loader file to establish a connection within the compromised device. The ransomware code is then deployed and begins encrypting files.
Following Microsoft's Patch Tuesday security announcement this week, the company issued the emergency alert for the third PrintNightmare vulnerability, which is now tracked as CVE-2021-36958.
This flaw, if exploited, could enable an attacker to run arbitrary code on a device, Microsoft notes.
"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges," according to the emergency alert. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."